Escolha a permissão ou permissões marcadas como menos privilegiadas para esta API. Utilize uma permissão ou permissões com privilégios mais elevados apenas se a sua aplicação o exigir. Para obter detalhes sobre as permissões delegadas e de aplicação, veja Tipos de permissão. Para saber mais sobre estas permissões, veja a referência de permissões.
O exemplo a seguir mostra uma solicitação.
POST https://graph.microsoft.com/beta/security/rules/detectionRules
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "office-encoded-powershell",
"displayName": "Suspicious encoded PowerShell from Office",
"description": "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.",
"status": "enabled",
"queryCondition": {
"queryText": "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'"
},
"schedule": {
"frequency": "PT1H"
},
"detectionAction": {
"alertTemplate": {
"title": "Suspicious encoded PowerShell from Office",
"description": "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
"severity": "high",
"recommendedActions": "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
"entityMappings": {
"accounts": [
{
"nameColumn": "AccountName",
"ntDomainColumn": "AccountDomain",
"sidColumn": "AccountSid"
}
],
"hosts": [
{
"deviceIdColumn": "DeviceId",
"nameColumn": "DeviceName"
}
],
"files": [
{
"nameColumn": "FileName",
"sha1Column": "SHA1",
"sha256Column": "SHA256"
}
]
},
"tactics": [
{
"tactic": "Execution",
"techniques": [
{
"technique": "T1059.001"
}
]
}
]
}
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models.Security;
var requestBody = new DetectionRule
{
OdataType = "#microsoft.graph.security.detectionRule",
Id = "office-encoded-powershell",
DisplayName = "Suspicious encoded PowerShell from Office",
Description = "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.",
Status = DetectionRuleStatus.Enabled,
QueryCondition = new QueryCondition
{
QueryText = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'",
},
Schedule = new RuleSchedule
{
Frequency = TimeSpan.Parse("PT1H"),
},
DetectionAction = new DetectionAction
{
AlertTemplate = new AlertTemplate
{
Title = "Suspicious encoded PowerShell from Office",
Description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
Severity = AlertSeverity.High,
RecommendedActions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
EntityMappings = new EntityMappingConfiguration
{
Accounts = new List<AccountEntityMapping>
{
new AccountEntityMapping
{
NameColumn = "AccountName",
NtDomainColumn = "AccountDomain",
SidColumn = "AccountSid",
},
},
Hosts = new List<HostEntityMapping>
{
new HostEntityMapping
{
DeviceIdColumn = "DeviceId",
NameColumn = "DeviceName",
},
},
Files = new List<FileEntityMapping>
{
new FileEntityMapping
{
NameColumn = "FileName",
Sha1Column = "SHA1",
Sha256Column = "SHA256",
},
},
},
Tactics = new List<MitreTactic>
{
new MitreTactic
{
Tactic = "Execution",
Techniques = new List<MitreTechnique>
{
new MitreTechnique
{
Technique = "T1059.001",
},
},
},
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Rules.DetectionRules.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodelssecurity "github.com/microsoftgraph/msgraph-beta-sdk-go/models/security"
//other-imports
)
requestBody := graphmodelssecurity.NewDetectionRule()
id := "office-encoded-powershell"
requestBody.SetId(&id)
displayName := "Suspicious encoded PowerShell from Office"
requestBody.SetDisplayName(&displayName)
description := "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern."
requestBody.SetDescription(&description)
status := graphmodels.ENABLED_DETECTIONRULESTATUS
requestBody.SetStatus(&status)
queryCondition := graphmodelssecurity.NewQueryCondition()
queryText := "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'"
queryCondition.SetQueryText(&queryText)
requestBody.SetQueryCondition(queryCondition)
schedule := graphmodelssecurity.NewRuleSchedule()
frequency , err := abstractions.ParseISODuration("PT1H")
schedule.SetFrequency(&frequency)
requestBody.SetSchedule(schedule)
detectionAction := graphmodelssecurity.NewDetectionAction()
alertTemplate := graphmodelssecurity.NewAlertTemplate()
title := "Suspicious encoded PowerShell from Office"
alertTemplate.SetTitle(&title)
description := "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution."
alertTemplate.SetDescription(&description)
severity := graphmodels.HIGH_ALERTSEVERITY
alertTemplate.SetSeverity(&severity)
recommendedActions := "Investigate the parent Office document, isolate the device, and review the user's recent email activity."
alertTemplate.SetRecommendedActions(&recommendedActions)
entityMappings := graphmodelssecurity.NewEntityMappingConfiguration()
accountEntityMapping := graphmodelssecurity.NewAccountEntityMapping()
nameColumn := "AccountName"
accountEntityMapping.SetNameColumn(&nameColumn)
ntDomainColumn := "AccountDomain"
accountEntityMapping.SetNtDomainColumn(&ntDomainColumn)
sidColumn := "AccountSid"
accountEntityMapping.SetSidColumn(&sidColumn)
accounts := []graphmodelssecurity.AccountEntityMappingable {
accountEntityMapping,
}
entityMappings.SetAccounts(accounts)
hostEntityMapping := graphmodelssecurity.NewHostEntityMapping()
deviceIdColumn := "DeviceId"
hostEntityMapping.SetDeviceIdColumn(&deviceIdColumn)
nameColumn := "DeviceName"
hostEntityMapping.SetNameColumn(&nameColumn)
hosts := []graphmodelssecurity.HostEntityMappingable {
hostEntityMapping,
}
entityMappings.SetHosts(hosts)
fileEntityMapping := graphmodelssecurity.NewFileEntityMapping()
nameColumn := "FileName"
fileEntityMapping.SetNameColumn(&nameColumn)
sha1Column := "SHA1"
fileEntityMapping.SetSha1Column(&sha1Column)
sha256Column := "SHA256"
fileEntityMapping.SetSha256Column(&sha256Column)
files := []graphmodelssecurity.FileEntityMappingable {
fileEntityMapping,
}
entityMappings.SetFiles(files)
alertTemplate.SetEntityMappings(entityMappings)
mitreTactic := graphmodelssecurity.NewMitreTactic()
tactic := "Execution"
mitreTactic.SetTactic(&tactic)
mitreTechnique := graphmodelssecurity.NewMitreTechnique()
technique := "T1059.001"
mitreTechnique.SetTechnique(&technique)
techniques := []graphmodelssecurity.MitreTechniqueable {
mitreTechnique,
}
mitreTactic.SetTechniques(techniques)
tactics := []graphmodelssecurity.MitreTacticable {
mitreTactic,
}
alertTemplate.SetTactics(tactics)
detectionAction.SetAlertTemplate(alertTemplate)
requestBody.SetDetectionAction(detectionAction)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
detectionRules, err := graphClient.Security().Rules().DetectionRules().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.models.security.DetectionRule detectionRule = new com.microsoft.graph.beta.models.security.DetectionRule();
detectionRule.setOdataType("#microsoft.graph.security.detectionRule");
detectionRule.setId("office-encoded-powershell");
detectionRule.setDisplayName("Suspicious encoded PowerShell from Office");
detectionRule.setDescription("Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.");
detectionRule.setStatus(com.microsoft.graph.beta.models.security.DetectionRuleStatus.Enabled);
com.microsoft.graph.beta.models.security.QueryCondition queryCondition = new com.microsoft.graph.beta.models.security.QueryCondition();
queryCondition.setQueryText("DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'");
detectionRule.setQueryCondition(queryCondition);
com.microsoft.graph.beta.models.security.RuleSchedule schedule = new com.microsoft.graph.beta.models.security.RuleSchedule();
PeriodAndDuration frequency = PeriodAndDuration.ofDuration(Duration.parse("PT1H"));
schedule.setFrequency(frequency);
detectionRule.setSchedule(schedule);
com.microsoft.graph.beta.models.security.DetectionAction detectionAction = new com.microsoft.graph.beta.models.security.DetectionAction();
com.microsoft.graph.beta.models.security.AlertTemplate alertTemplate = new com.microsoft.graph.beta.models.security.AlertTemplate();
alertTemplate.setTitle("Suspicious encoded PowerShell from Office");
alertTemplate.setDescription("An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.");
alertTemplate.setSeverity(com.microsoft.graph.beta.models.security.AlertSeverity.High);
alertTemplate.setRecommendedActions("Investigate the parent Office document, isolate the device, and review the user's recent email activity.");
com.microsoft.graph.beta.models.security.EntityMappingConfiguration entityMappings = new com.microsoft.graph.beta.models.security.EntityMappingConfiguration();
LinkedList<com.microsoft.graph.beta.models.security.AccountEntityMapping> accounts = new LinkedList<com.microsoft.graph.beta.models.security.AccountEntityMapping>();
com.microsoft.graph.beta.models.security.AccountEntityMapping accountEntityMapping = new com.microsoft.graph.beta.models.security.AccountEntityMapping();
accountEntityMapping.setNameColumn("AccountName");
accountEntityMapping.setNtDomainColumn("AccountDomain");
accountEntityMapping.setSidColumn("AccountSid");
accounts.add(accountEntityMapping);
entityMappings.setAccounts(accounts);
LinkedList<com.microsoft.graph.beta.models.security.HostEntityMapping> hosts = new LinkedList<com.microsoft.graph.beta.models.security.HostEntityMapping>();
com.microsoft.graph.beta.models.security.HostEntityMapping hostEntityMapping = new com.microsoft.graph.beta.models.security.HostEntityMapping();
hostEntityMapping.setDeviceIdColumn("DeviceId");
hostEntityMapping.setNameColumn("DeviceName");
hosts.add(hostEntityMapping);
entityMappings.setHosts(hosts);
LinkedList<com.microsoft.graph.beta.models.security.FileEntityMapping> files = new LinkedList<com.microsoft.graph.beta.models.security.FileEntityMapping>();
com.microsoft.graph.beta.models.security.FileEntityMapping fileEntityMapping = new com.microsoft.graph.beta.models.security.FileEntityMapping();
fileEntityMapping.setNameColumn("FileName");
fileEntityMapping.setSha1Column("SHA1");
fileEntityMapping.setSha256Column("SHA256");
files.add(fileEntityMapping);
entityMappings.setFiles(files);
alertTemplate.setEntityMappings(entityMappings);
LinkedList<com.microsoft.graph.beta.models.security.MitreTactic> tactics = new LinkedList<com.microsoft.graph.beta.models.security.MitreTactic>();
com.microsoft.graph.beta.models.security.MitreTactic mitreTactic = new com.microsoft.graph.beta.models.security.MitreTactic();
mitreTactic.setTactic("Execution");
LinkedList<com.microsoft.graph.beta.models.security.MitreTechnique> techniques = new LinkedList<com.microsoft.graph.beta.models.security.MitreTechnique>();
com.microsoft.graph.beta.models.security.MitreTechnique mitreTechnique = new com.microsoft.graph.beta.models.security.MitreTechnique();
mitreTechnique.setTechnique("T1059.001");
techniques.add(mitreTechnique);
mitreTactic.setTechniques(techniques);
tactics.add(mitreTactic);
alertTemplate.setTactics(tactics);
detectionAction.setAlertTemplate(alertTemplate);
detectionRule.setDetectionAction(detectionAction);
com.microsoft.graph.models.security.DetectionRule result = graphClient.security().rules().detectionRules().post(detectionRule);
const options = {
authProvider,
};
const client = Client.init(options);
const detectionRule = {
'@odata.type': '#microsoft.graph.security.detectionRule',
id: 'office-encoded-powershell',
displayName: 'Suspicious encoded PowerShell from Office',
description: 'Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.',
status: 'enabled',
queryCondition: {
queryText: 'DeviceProcessEvents | where InitiatingProcessFileName in~ (\'winword.exe\',\'excel.exe\',\'outlook.exe\') | where FileName == \'powershell.exe\' | where ProcessCommandLine has \'-enc\''
},
schedule: {
frequency: 'PT1H'
},
detectionAction: {
alertTemplate: {
title: 'Suspicious encoded PowerShell from Office',
description: 'An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.',
severity: 'high',
recommendedActions: 'Investigate the parent Office document, isolate the device, and review the user\'s recent email activity.',
entityMappings: {
accounts: [
{
nameColumn: 'AccountName',
ntDomainColumn: 'AccountDomain',
sidColumn: 'AccountSid'
}
],
hosts: [
{
deviceIdColumn: 'DeviceId',
nameColumn: 'DeviceName'
}
],
files: [
{
nameColumn: 'FileName',
sha1Column: 'SHA1',
sha256Column: 'SHA256'
}
]
},
tactics: [
{
tactic: 'Execution',
techniques: [
{
technique: 'T1059.001'
}
]
}
]
}
}
};
await client.api('/security/rules/detectionRules')
.version('beta')
.post(detectionRule);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Security\DetectionRule;
use Microsoft\Graph\Beta\Generated\Models\Security\DetectionRuleStatus;
use Microsoft\Graph\Beta\Generated\Models\Security\QueryCondition;
use Microsoft\Graph\Beta\Generated\Models\Security\RuleSchedule;
use Microsoft\Graph\Beta\Generated\Models\Security\DetectionAction;
use Microsoft\Graph\Beta\Generated\Models\Security\AlertTemplate;
use Microsoft\Graph\Beta\Generated\Models\Security\AlertSeverity;
use Microsoft\Graph\Beta\Generated\Models\Security\EntityMappingConfiguration;
use Microsoft\Graph\Beta\Generated\Models\Security\AccountEntityMapping;
use Microsoft\Graph\Beta\Generated\Models\Security\HostEntityMapping;
use Microsoft\Graph\Beta\Generated\Models\Security\FileEntityMapping;
use Microsoft\Graph\Beta\Generated\Models\Security\MitreTactic;
use Microsoft\Graph\Beta\Generated\Models\Security\MitreTechnique;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new DetectionRule();
$requestBody->setOdataType('#microsoft.graph.security.detectionRule');
$requestBody->setId('office-encoded-powershell');
$requestBody->setDisplayName('Suspicious encoded PowerShell from Office');
$requestBody->setDescription('Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.');
$requestBody->setStatus(new DetectionRuleStatus('enabled'));
$queryCondition = new QueryCondition();
$queryCondition->setQueryText('DeviceProcessEvents | where InitiatingProcessFileName in~ (\'winword.exe\',\'excel.exe\',\'outlook.exe\') | where FileName == \'powershell.exe\' | where ProcessCommandLine has \'-enc\'');
$requestBody->setQueryCondition($queryCondition);
$schedule = new RuleSchedule();
$schedule->setFrequency(new \DateInterval('PT1H'));
$requestBody->setSchedule($schedule);
$detectionAction = new DetectionAction();
$detectionActionAlertTemplate = new AlertTemplate();
$detectionActionAlertTemplate->setTitle('Suspicious encoded PowerShell from Office');
$detectionActionAlertTemplate->setDescription('An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.');
$detectionActionAlertTemplate->setSeverity(new AlertSeverity('high'));
$detectionActionAlertTemplate->setRecommendedActions('Investigate the parent Office document, isolate the device, and review the user\'s recent email activity.');
$detectionActionAlertTemplateEntityMappings = new EntityMappingConfiguration();
$accountsAccountEntityMapping1 = new AccountEntityMapping();
$accountsAccountEntityMapping1->setNameColumn('AccountName');
$accountsAccountEntityMapping1->setNtDomainColumn('AccountDomain');
$accountsAccountEntityMapping1->setSidColumn('AccountSid');
$accountsArray []= $accountsAccountEntityMapping1;
$detectionActionAlertTemplateEntityMappings->setAccounts($accountsArray);
$hostsHostEntityMapping1 = new HostEntityMapping();
$hostsHostEntityMapping1->setDeviceIdColumn('DeviceId');
$hostsHostEntityMapping1->setNameColumn('DeviceName');
$hostsArray []= $hostsHostEntityMapping1;
$detectionActionAlertTemplateEntityMappings->setHosts($hostsArray);
$filesFileEntityMapping1 = new FileEntityMapping();
$filesFileEntityMapping1->setNameColumn('FileName');
$filesFileEntityMapping1->setSha1Column('SHA1');
$filesFileEntityMapping1->setSha256Column('SHA256');
$filesArray []= $filesFileEntityMapping1;
$detectionActionAlertTemplateEntityMappings->setFiles($filesArray);
$detectionActionAlertTemplate->setEntityMappings($detectionActionAlertTemplateEntityMappings);
$tacticsMitreTactic1 = new MitreTactic();
$tacticsMitreTactic1->setTactic('Execution');
$techniquesMitreTechnique1 = new MitreTechnique();
$techniquesMitreTechnique1->setTechnique('T1059.001');
$techniquesArray []= $techniquesMitreTechnique1;
$tacticsMitreTactic1->setTechniques($techniquesArray);
$tacticsArray []= $tacticsMitreTactic1;
$detectionActionAlertTemplate->setTactics($tacticsArray);
$detectionAction->setAlertTemplate($detectionActionAlertTemplate);
$requestBody->setDetectionAction($detectionAction);
$result = $graphServiceClient->security()->rules()->detectionRules()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Security
$params = @{
"@odata.type" = "#microsoft.graph.security.detectionRule"
id = "office-encoded-powershell"
displayName = "Suspicious encoded PowerShell from Office"
description = "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern."
status = "enabled"
queryCondition = @{
queryText = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'"
}
schedule = @{
frequency = "PT1H"
}
detectionAction = @{
alertTemplate = @{
title = "Suspicious encoded PowerShell from Office"
description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution."
severity = "high"
recommendedActions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity."
entityMappings = @{
accounts = @(
@{
nameColumn = "AccountName"
ntDomainColumn = "AccountDomain"
sidColumn = "AccountSid"
}
)
hosts = @(
@{
deviceIdColumn = "DeviceId"
nameColumn = "DeviceName"
}
)
files = @(
@{
nameColumn = "FileName"
sha1Column = "SHA1"
sha256Column = "SHA256"
}
)
}
tactics = @(
@{
tactic = "Execution"
techniques = @(
@{
technique = "T1059.001"
}
)
}
)
}
}
}
New-MgBetaSecurityRuleDetectionRule -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.security.detection_rule import DetectionRule
from msgraph_beta.generated.models.detection_rule_status import DetectionRuleStatus
from msgraph_beta.generated.models.security.query_condition import QueryCondition
from msgraph_beta.generated.models.security.rule_schedule import RuleSchedule
from msgraph_beta.generated.models.security.detection_action import DetectionAction
from msgraph_beta.generated.models.security.alert_template import AlertTemplate
from msgraph_beta.generated.models.alert_severity import AlertSeverity
from msgraph_beta.generated.models.security.entity_mapping_configuration import EntityMappingConfiguration
from msgraph_beta.generated.models.security.account_entity_mapping import AccountEntityMapping
from msgraph_beta.generated.models.security.host_entity_mapping import HostEntityMapping
from msgraph_beta.generated.models.security.file_entity_mapping import FileEntityMapping
from msgraph_beta.generated.models.security.mitre_tactic import MitreTactic
from msgraph_beta.generated.models.security.mitre_technique import MitreTechnique
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = DetectionRule(
odata_type = "#microsoft.graph.security.detectionRule",
id = "office-encoded-powershell",
display_name = "Suspicious encoded PowerShell from Office",
description = "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.",
status = DetectionRuleStatus.Enabled,
query_condition = QueryCondition(
query_text = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'",
),
schedule = RuleSchedule(
frequency = "PT1H",
),
detection_action = DetectionAction(
alert_template = AlertTemplate(
title = "Suspicious encoded PowerShell from Office",
description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
severity = AlertSeverity.High,
recommended_actions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
entity_mappings = EntityMappingConfiguration(
accounts = [
AccountEntityMapping(
name_column = "AccountName",
nt_domain_column = "AccountDomain",
sid_column = "AccountSid",
),
],
hosts = [
HostEntityMapping(
device_id_column = "DeviceId",
name_column = "DeviceName",
),
],
files = [
FileEntityMapping(
name_column = "FileName",
sha1_column = "SHA1",
sha256_column = "SHA256",
),
],
),
tactics = [
MitreTactic(
tactic = "Execution",
techniques = [
MitreTechnique(
technique = "T1059.001",
),
],
),
],
),
),
)
result = await graph_client.security.rules.detection_rules.post(request_body)
O exemplo a seguir mostra a resposta.