Microsoft 365 Defender (mdatp) Backend Pre-Release

[slincoln-detections-ai]

Hello everyone,

I've created a pySigma backend & pipeline for Microsoft 365 Defender (aka mdatp). This will convert rules into Advanced Hunting Queries in Kusto Query Language (KQL):

https://github.com/AttackIQ/pySigma-backend-microsoft365defender

We don't mind publishing it to PyPI ourselves, as we plan to continually improve it, fix bugs, etc. We also don't mind if it's forked and published as part of the SigmaHQ repo, whatever you prefer.

Thanks, and any feedback is greatly appreciated!

[thomaspatzke]

Hi! A very cool and will documented backend! 👍

Do you like to create a pull request to the pySigma plugin directory? This would make your work available for plugin installation in the recent version of the CLI for discovery by users and installation.

While it's not necessary anymore to create a PyPI release anymore, I still recommend to do this because it makes the backend more accessible for other projects and provides clean releases.

Further i recommend to let the pipeline fail for unsupported field mappings. This is much cleaner than silently generating queries that don't work anyways. This behavior also causes the false expectation of a working detection to the user while it is not the case.

[slincoln-detections-ai]

Thank you! I'll make a PR to that repository, as well as our own PyPI release.

As for unsupported field mappings, I originally was going to have the pipeline check for valid fields, and for any fields that were not valid, I was going to use a SetStateTransformation() to add the list of invalid fields to a state key. I was also going to use something similar to DropDetectionItemTransformation() to remove them as detection items, so the query would only use valid fields. However, I ran into the issue described here: #104

The intent behind this was that any invalid fields could be added as a comment to the query by the backend (KQL uses '//' for comments), so the pipeline could still generate a valid query while letting the user know which fields were invalid without erroring out completely. For example:

DeviceProcessEvents
| where ProcessCommandLine contains "mimikatz.exe"
// Invalid fields found in Sigma Rule: InvalidField1, InvalidField2, ...etc

However, if you think its better to just have the pipeline fail to avoid the possibility of incomplete/invalid detections, I can just do that instead.

I will add ProcessingItems to let the pipeline fail on invalid fields before I make a PR and PyPI package for now, then look further into the issue linked above. Thanks again!

[thomaspatzke]

You can add it as backend-specific option to the backend constructor. The reason why I recommend the error is that from my experience and discussions with users that users often rely on the correctness of the queries and these are not further reviewed. Therefore it's important to fail into a safe state by default.