Skip to content

Commit

Permalink
ms defend actions client
Browse files Browse the repository at this point in the history
  • Loading branch information
ashokaditya committed Dec 23, 2024
1 parent 69ed613 commit de81c78
Show file tree
Hide file tree
Showing 7 changed files with 270 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,12 @@ export type ResponseActionStatus = (typeof RESPONSE_ACTION_STATUS)[number];
export const RESPONSE_ACTION_TYPE = ['automated', 'manual'] as const;
export type ResponseActionType = (typeof RESPONSE_ACTION_TYPE)[number];

export const RESPONSE_ACTION_AGENT_TYPE = ['endpoint', 'sentinel_one', 'crowdstrike'] as const;
export const RESPONSE_ACTION_AGENT_TYPE = [
'endpoint',
'sentinel_one',
'crowdstrike',
'microsoft_defender_endpoint',
] as const;
export type ResponseActionAgentType = (typeof RESPONSE_ACTION_AGENT_TYPE)[number];

/**
Expand Down Expand Up @@ -181,6 +186,7 @@ export const RESPONSE_ACTIONS_ZIP_PASSCODE: Readonly<Record<ResponseActionAgentT
endpoint: 'elastic',
sentinel_one: 'Elastic@123',
crowdstrike: 'tbd..',
microsoft_defender_endpoint: 'tbd..',
});

/**
Expand All @@ -206,6 +212,7 @@ export const RESPONSE_ACTIONS_ALERT_AGENT_ID_FIELDS: Readonly<
'sentinel_one.agent.agent.id',
],
crowdstrike: ['device.id'],
microsoft_defender_endpoint: ['agent.id'],
});

export const SUPPORTED_AGENT_ID_ALERT_FIELDS: Readonly<string[]> = Object.values(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,119 +23,139 @@ const RESPONSE_ACTIONS_SUPPORT_MAP: SupportMap = {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: true,
crowdstrike: true,
microsoft_defender_endpoint: true,
},
},
unisolate: {
automated: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: true,
crowdstrike: true,
microsoft_defender_endpoint: true,
},
},
upload: {
automated: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
},
'get-file': {
automated: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: true,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
},
'kill-process': {
automated: {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: true,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
},
execute: {
automated: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
},
'suspend-process': {
automated: {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
},
'running-processes': {
automated: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: true,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
},
scan: {
automated: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
},
runscript: {
automated: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
manual: {
endpoint: false,
sentinel_one: false,
crowdstrike: true,
microsoft_defender_endpoint: false,
},
},
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ export * from './trusted_apps';
export * from './utility_types';
export * from './agents';
export * from './sentinel_one';
export * from './microsoft_defender_endpoint';
export type { ConditionEntriesMap, ConditionEntry } from './exception_list_items';

/**
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

export interface MicrosoftDefenderEndpointActionRequestCommonMeta {
/** MS Defender for Endpoint Machine Id */
agentId: string;
/** MS Defender for Endpoint Computer DNS Name **/
hostName: string;
}
Original file line number Diff line number Diff line change
Expand Up @@ -29,51 +29,61 @@ const COMMANDS_WITH_ACCESS_TO_FILES: CommandsWithFileAccess = deepFreeze<Command
endpoint: true,
sentinel_one: true,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
execute: {
endpoint: true,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
'running-processes': {
endpoint: false,
sentinel_one: true,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
upload: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
scan: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
isolate: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
unisolate: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
'kill-process': {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
'suspend-process': {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
runscript: {
endpoint: false,
sentinel_one: false,
crowdstrike: false,
microsoft_defender_endpoint: false,
},
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import { UnsupportedResponseActionsAgentTypeError } from './errors';
import type { ResponseActionAgentType } from '../../../../../common/endpoint/service/response_actions/constants';
import type { CrowdstrikeActionsClientOptions } from './crowdstrike/crowdstrike_actions_client';
import { CrowdstrikeActionsClient } from './crowdstrike/crowdstrike_actions_client';
import { MicrosoftDefenderEndpointActionsClient } from './microsoft/defender/endpoint/ms_defender_endpoint_actions_client';

export type GetResponseActionsClientConstructorOptions = ResponseActionsClientOptions &
SentinelOneActionsClientOptions &
Expand All @@ -37,6 +38,8 @@ export const getResponseActionsClient = (
return new SentinelOneActionsClient(constructorOptions);
case 'crowdstrike':
return new CrowdstrikeActionsClient(constructorOptions);
case 'microsoft_defender_endpoint':
return new MicrosoftDefenderEndpointActionsClient(constructorOptions);
default:
throw new UnsupportedResponseActionsAgentTypeError(
`Agent type [${agentType}] does not support response actions`
Expand Down
Loading

0 comments on commit de81c78

Please sign in to comment.