This tool uses incident and device data from the 365 Defender product to provide data for report writing. It automatically calculates the last one-week date range based on the day the report was written and provides the following data:
- Date range
- Total incident
- Severity distribution of True Positive events
- Category distribution
- Total number of endpoints (Appearing in the last week)
- Endpoint OS distribution
- True Positive events:
- Incident ID, Last activity, Incident Name, Severity, Classification, Impacted Assets
- Analyst comments
- Incident source distribution
Before running the script, you must modify the values in the config file.
- Uses the entered report day in automatic date calculation.
- Supports multiple tenants and offers options at startup.
- Exclusion of e-mail alerts.
- Exclusion of Benign Positive alerts.
- Exclusion of alerts with incident title according to the given keyword list.
'sccauth', 'XSRF-TOKEN', 'ai_session', 's.SessID' and 'SSR' values are automatically calculated from the entered cookie value.
You can obtain this cookie data from the network section of your browser while logged in to the session at the address below. You can update cookie value at config file.
https://security.microsoft.com/incidents?tid=your_tenant_id
python3 -m pip install requests- Maximum page size is:
- incident: 100
- Device: 200
- Maximum rate of requests is 50 calls per minute and 1500 calls per hour.