From 84f3036703bdabdd8278877ac7e8e56870a959f4 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Thu, 11 May 2023 15:23:12 +0200 Subject: [PATCH 1/3] added account as a datatype entry The account observable is the default observable in TheHive 5. Username and account can both be queried in LDAP if the entry exists. --- analyzers/LdapQuery/LdapQuery.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyzers/LdapQuery/LdapQuery.json b/analyzers/LdapQuery/LdapQuery.json index e2d2f911a..2935244db 100644 --- a/analyzers/LdapQuery/LdapQuery.json +++ b/analyzers/LdapQuery/LdapQuery.json @@ -5,7 +5,7 @@ "url": "https://github.com/cyberpescadito/Cortex-Analyzers/tree/master/analyzers/LdapQuery", "license": "AGPL-V3", "description": "Query your LDAP server to harvest informations about an user of your organization", - "dataTypeList": ["username", "mail"], + "dataTypeList": ["account", "username", "mail"], "command": "LdapQuery/ldapQuery.py", "baseConfig": "LdapQuery", "configurationItems": [ @@ -59,4 +59,4 @@ "required": true } ] -} \ No newline at end of file +} From 8abc5367b2bbf078a5c5888af81bc084535f2a25 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Thu, 11 May 2023 15:28:23 +0200 Subject: [PATCH 2/3] Bump version number to 2.1 and typo --- analyzers/LdapQuery/LdapQuery.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyzers/LdapQuery/LdapQuery.json b/analyzers/LdapQuery/LdapQuery.json index 2935244db..a01a86592 100644 --- a/analyzers/LdapQuery/LdapQuery.json +++ b/analyzers/LdapQuery/LdapQuery.json @@ -1,6 +1,6 @@ { "name": "Ldap_Query", - "version": "2.0", + "version": "2.1", "author": "Florian Perret @cyber_pescadito", "url": "https://github.com/cyberpescadito/Cortex-Analyzers/tree/master/analyzers/LdapQuery", "license": "AGPL-V3", @@ -25,7 +25,7 @@ }, { "name": "LDAP_username", - "description": "Usernae of the account that will be used to bind to LDAP server. The Account should have permissions to read ldap objects and attributes.", + "description": "Username of the account that will be used to bind to LDAP server. The Account should have permissions to read ldap objects and attributes.", "type": "string", "multi": false, "required": true From 7dff29f65d2f9442fd2e276d3defba1ccfa85b35 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Fri, 29 Sep 2023 17:52:21 +0200 Subject: [PATCH 3/3] Fixed URL & added the ability to have both machine id The url used to request a token is malformed. A / was missing between the URI and the tenantID. Also, when an org has not chosen to sync its computers in AzureAD(or Entra), the aadDeviceId field is null. the default field will therefore be "id". That field is attributed by MDE --- responders/MSDefenderEndpoints/MSDefenderEndpoints.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py index 8775fd5f9..8906da7fe 100755 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py @@ -31,7 +31,7 @@ def __init__(self): def run(self): Responder.run(self) - url = "{}{}/oauth2/token".format( + url = "{}/{}/oauth2/token".format( self.msdefenderOAuthUri,self.msdefenderTenantId ) @@ -77,7 +77,8 @@ def getMachineId(id): if response.status_code == 200: jsonResponse = response.json() if len(response.content) > 100: - return jsonResponse["value"][0]["aadDeviceId"] + if jsonResponse["value"][0]["aadDeviceId"] is None: + return jsonResponse["value"][0]["id"] else: self.error({'message': "Can't get hostname from Microsoft API"}) except requests.exceptions.RequestException as e: