-
Notifications
You must be signed in to change notification settings - Fork 49
/
actions-template.yml
41 lines (39 loc) · 1.78 KB
/
actions-template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Name: # Choose a name that describes the action
ID: # Unique ID (short version of the name, no spaces, will end up in the logs)
Description: # Short description (one-liner)
Author: FalconForce # Optional: Author of the action
Version: '1.0' # Optional: Version of the action
Info: |- # Optional: Additional information about the action
Active: true # Enable to run this action
Debug: true # Enable to see verbose results on the console
SourcePlatform: MDE # Supported sources; Sentinel, Neo4j, MDE, Graph
Query: | # Query to run against the source platform
-query here-
Targets: # Targets are the platforms that this action will push to (CSV, Neo4j, Sentinel, Wachlist, Splunk)
- Name: CSV
Enabled: true
Path: output/get_sessions_mde.csv
- Name: Sentinel
Enabled: true
- Name: Splunk
Enabled: true
- Name: Neo4j
Enabled: true
Query: |
MATCH (x:Computer {name:$device_name}) SET c.exploitable = true, c.exploits = $cve_ids
Parameters:
device_name: DeviceName
cve_ids: CveIds
- Name: Watchlist
Enabled: true
WatchlistName: FH_MDE_Exploitable_Machines
DisplayName: MDE Exploitable Machines
SearchKey: DeviceName
Overwrite: true # Overwrite the watchlist with the query results, when false it will append the results to the watchlist
- Name: ADX
Enabled: true
Table: FalconHound
BatchSize: 1000 # Number of records to push to ADX in one batch, these will show up in the ADX table as 1 row with an array of values
- Name: Markdown
Enabled: true
Path: reports/{{date}}/get_sessions_mde.md