Detección de listasRules
Espacio de nombres: microsoft.graph.security
Importante
Las API de la versión /beta de Microsoft Graph están sujetas a cambios. No se admite el uso de estas API en aplicaciones de producción. Para determinar si una API está disponible en la versión 1.0, use el selector de Versión.
Obtenga una lista de reglas de detección personalizadas. Con las detecciones personalizadas, puede supervisar y responder de forma proactiva a diversos eventos y estados del sistema, incluida la actividad de infracción sospechosa y los recursos mal configurados en la red de su organización. Las reglas de detección personalizadas, que se escriben en el lenguaje de consulta Kusto (KQL), desencadenan automáticamente alertas y acciones de respuesta una vez que haya eventos que coincidan con sus consultas de KQL.
Esta API está disponible en las siguientes implementaciones nacionales de nube.
| Servicio global | Gobierno de EE. UU. L4 | Us Government L5 (DOD) | China operada por 21Vianet |
|---|---|---|---|
| ✅ | ❌ | ❌ | ❌ |
Permissions
Elija el permiso o los permisos marcados como con privilegios mínimos para esta API. Use un permiso o permisos con privilegios superiores solo si la aplicación lo requiere. Para obtener más información sobre los permisos delegados y de aplicación, consulte Tipos de permisos. Para obtener más información sobre estos permisos, consulte la referencia de permisos.
| Tipo de permiso | Permisos con privilegios mínimos | Permisos con privilegios más altos |
|---|---|---|
| Delegado (cuenta profesional o educativa) | CustomDetection.Read.All | CustomDetection.ReadWrite.All |
| Delegado (cuenta personal de Microsoft) | No admitida. | No admitida. |
| Aplicación | CustomDetection.Read.All | CustomDetection.ReadWrite.All |
Solicitud HTTP
GET /security/rules/detectionRules
Parámetros de consulta opcionales
Este método admite los Parámetros de consulta de OData a modo de ayuda para personalizar la respuesta. Para obtener información general, vea Parámetros de consulta OData.
Encabezados de solicitud
| Nombre | Descripción |
|---|---|
| Authorization | {token} de portador. Obligatorio. |
Cuerpo de la solicitud
No proporcione un cuerpo de solicitud para este método.
Respuesta
Si se ejecuta correctamente, este método devuelve un 200 OK código de respuesta y una colección de objetos detectionRule en el cuerpo de la respuesta.
Ejemplos
Solicitud
En el ejemplo siguiente se muestra la solicitud.
GET https://graph.microsoft.com/beta/security/rules/detectionRules?$top=3
Respuesta
En el ejemplo siguiente se muestra la respuesta.
Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.
HTTP/1.1 200 OK
Content-Type: application/json
{
"value": [
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "7506",
"displayName": "ban file",
"isEnabled": true,
"createdBy": "NaderK@winatptestlic06.ccsctp.net",
"createdDateTime": "2021-02-28T16:28:15.3863467Z",
"lastModifiedDateTime": "2023-05-24T09:26:11.8630516Z",
"lastModifiedBy": "GlobalAdmin@unifiedrbactest3.ccsctp.net",
"detectorId": "67895317-b2a8-4ac3-8f8b-fa6b7765f2fe",
"queryCondition": {
"queryText": "DeviceFileEvents\r\n| where Timestamp > ago(1h)\r\n| where FileName == \"ifz30zlx.dll\"",
"lastModifiedDateTime": null
},
"schedule": {
"period": "24H",
"nextRunDateTime": "2023-06-26T08:52:06.1766667Z"
},
"lastRunDetails": {
"lastRunDateTime": "2023-06-25T08:52:06.1766667Z",
"status": null,
"failureReason": null,
"errorCode": null
},
"detectionAction": {
"alertTemplate": {
"title": "unwanted dll",
"description": "test",
"severity": "low",
"category": "Malware",
"recommendedActions": null,
"mitreTechniques": [],
"impactedAssets": []
},
"organizationalScope": null,
"responseActions": [
{
"@odata.type": "#microsoft.graph.security.restrictAppExecutionResponseAction",
"identifier": "deviceId"
},
{
"@odata.type": "#microsoft.graph.security.initiateInvestigationResponseAction",
"identifier": "deviceId"
},
{
"@odata.type": "#microsoft.graph.security.collectInvestigationPackageResponseAction",
"identifier": "deviceId"
},
{
"@odata.type": "#microsoft.graph.security.runAntivirusScanResponseAction",
"identifier": "deviceId"
},
{
"@odata.type": "#microsoft.graph.security.isolateDeviceResponseAction",
"isolationType": "full",
"identifier": "deviceId"
},
{
"@odata.type": "#microsoft.graph.security.blockFileResponseAction",
"identifier": "sha1",
"deviceGroupNames": []
}
]
}
},
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "8575",
"displayName": "Continuous_EmailAttachmentInfo_Mod300",
"isEnabled": true,
"createdBy": "rony@winatptestlic06.ccsctp.net",
"createdDateTime": "2021-11-03T21:32:01.6144651Z",
"lastModifiedDateTime": "2022-11-03T19:27:14.4187141Z",
"lastModifiedBy": "InESecAdmin@winatptestlic06.ccsctp.net",
"detectorId": "56ef4994-fe31-4ac9-b29f-0ca2f2cc9112",
"queryCondition": {
"queryText": "EmailAttachmentInfo\r\n| extend second = datetime_diff('second',now(),Timestamp)\r\n| where second % 300 == 0 ",
"lastModifiedDateTime": "2022-11-03T19:27:14.4331537Z"
},
"schedule": {
"period": "0",
"nextRunDateTime": "2021-11-03T21:32:01.7863185Z"
},
"lastRunDetails": {
"lastRunDateTime": "2021-11-03T21:32:01.7863185Z",
"status": null,
"failureReason": null,
"errorCode": null
},
"detectionAction": {
"alertTemplate": {
"title": "EmailAttachmentInfo",
"description": "EmailAttachmentInfo",
"severity": "low",
"category": "Exfiltration",
"recommendedActions": "EmailAttachmentInfo",
"mitreTechniques": [],
"impactedAssets": [
{
"@odata.type": "#microsoft.graph.security.impactedMailboxAsset",
"identifier": "recipientEmailAddress"
},
{
"@odata.type": "#microsoft.graph.security.impactedUserAsset",
"identifier": "recipientObjectId"
}
]
},
"organizationalScope": null,
"responseActions": [
{
"@odata.type": "#microsoft.graph.security.moveToDeletedItemsResponseAction",
"identifier": "networkMessageId, recipientEmailAddress"
}
]
}
},
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "9794",
"displayName": "UPDATED DET: Office/LoLBin Network Connection to Low-Reputation TLD",
"isEnabled": true,
"createdBy": "NaderK@winatptestlic06.ccsctp.net",
"createdDateTime": "2022-02-02T10:26:01.7708581Z",
"lastModifiedDateTime": "2022-02-02T10:26:01.7708581Z",
"lastModifiedBy": "NaderK@winatptestlic06.ccsctp.net",
"detectorId": "67aa92a1-b04b-4f2a-a223-236968a3da96",
"queryCondition": {
"queryText": "//https://www.spamhaus.org/statistics/tlds/ http://www.surbl.org/tld https://www.iana.org/domains/root/db https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/\r\nDeviceNetworkEvents\r\n| where isnotempty(RemoteUrl) and RemoteIPType == \"Public\"\r\n| where InitiatingProcessFileName in~ (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"wscript.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\r\n| extend TopLevelDomain=tolower(extract(@\"([A-Za-z0-9-]{1,63}\\.)+([A-Za-z]{2,10})\", 2, RemoteUrl))\r\n| where TopLevelDomain in (\"xyz\", \"top\", \"live\", \"loan\", \"club\", \"surf\", \"work\", \"biz\", \"ryukyu\", \"press\", \"ltd\", \"bid\", \"vip\", \"online\", \"download\" \"buzz\", \"cam\", \"ru\", \"cn\", \"ci\", \"ga\", \"gq\", \"tk\", \"tw\", \"ml\", \"cf\", \"cfd\", \"icu\", \"cm\")\r\n| extend TimeDiff=datetime_diff(\"Second\", Timestamp, InitiatingProcessCreationTime)\r\n| where TimeDiff < 30\r\n| project-reorder Timestamp, DeviceName, RemoteUrl, TopLevelDomain, TimeDiff, InitiatingProcessCommandLine, *\r\n//| summarize count() by InitiatingProcessFolderPath, TopLevelDomain, RemoteUrl",
"lastModifiedDateTime": null
},
"schedule": {
"period": "1H",
"nextRunDateTime": "2023-06-25T10:17:06.4366667Z"
},
"lastRunDetails": {
"lastRunDateTime": "2023-06-25T09:17:06.4366667Z",
"status": null,
"failureReason": null,
"errorCode": null
},
"detectionAction": {
"alertTemplate": {
"title": "updated Office/LoLBin Network Connection to Low-Reputation TLD",
"description": "This is a custom detection created by the Centene Detection Engineering team.\n\nAn Office application or Living-Off-The-Land Binary made an immediate remote connection to a domain with a low-reputation top level domain after execution. This activity is suspicious as threat actors typically use low-reputation TLDs for malicious purposes, such as hosting payloads for potential targets. These TLDs are often abused because of their low cost and lack of oversite. The TLDs included in the list cover destinations that have either a high count or a high percentage of low-reputation sites. ",
"severity": "low",
"category": "CommandAndControl",
"recommendedActions": "Check the reputation of the RemoteUrl through OSINT tools such as VirusTotal and Hybrid Analysis.\n\nReview the document and device timeline for additional context and IOCs. \n\nCheck for related alerts on the associated endpoint. ",
"mitreTechniques": ["T1071.001"],
"impactedAssets": [
{
"@odata.type": "#microsoft.graph.security.impactedDeviceAsset",
"identifier": "deviceId"
}
]
},
"organizationalScope": {
"scopeType": "deviceGroup",
"scopeNames": ["UnassignedGroup"]
},
"responseActions": []
}
}
]
}
Comentarios
Próximamente: A lo largo de 2024 iremos eliminando gradualmente GitHub Issues como mecanismo de comentarios sobre el contenido y lo sustituiremos por un nuevo sistema de comentarios. Para más información, vea: https://aka.ms/ContentUserFeedback.
Enviar y ver comentarios de