MS-Graph-BlueTeam

Microsoft Graph CLI commands and workflows for Blue Teamers

MS Graph CLI

Requirements

Install the MS Graph CLI toolkit.
Requisite licenses for certain API endpoints, i.e., Microsoft Defender for Threat Intelligence.

Microsoft Defender for Threat Intelligence

Login and configure MDTI Scope

mgc login --strategy DeviceCode --scopes ThreatIntelligence.Read.All

Whois

mgc security threat-intelligence hosts whois get --host-id contoso.com

Convert MDTI WHOIS to a MISP Object

function ConvertTo-MispObject($whoisJson) {
    $mispObject = @{
        "name" = "whois"
        "meta-category" = "network"
        "description" = "Whois record for a domain"
        "template_uuid" = "688c46fb-5edb-40a3-8273-1af7923e2215"
        "template_version" = "4"
        "Attribute" = @(
            @{ "type" = "datetime"; "object_relation" = "expiration-date"; "value" = $whoisJson.expirationDateTime }
            @{ "type" = "datetime"; "object_relation" = "creation-date"; "value" = $whoisJson.registrationDateTime }
            @{ "type" = "text"; "object_relation" = "registrar"; "value" = $whoisJson.registrar.organization }
            @{ "type" = "text"; "object_relation" = "registrant"; "value" = $whoisJson.registrant.organization }
            @{ "type" = "text"; "object_relation" = "registrant-phone"; "value" = $whoisJson.registrant.telephone }
            @{ "type" = "email"; "object_relation" = "registrant-email"; "value" = $whoisJson.registrant.email }
            @{ "type" = "text"; "object_relation" = "registrant-address"; "value" = $whoisJson.registrant.address.street }
            @{ "type" = "text"; "object_relation" = "domain-status"; "value" = $whoisJson.domainStatus }
            @{ "type" = "text"; "object_relation" = "whois-server"; "value" = $whoisJson.whoisServer }
            @{ "type" = "text"; "object_relation" = "raw-record"; "value" = $whoisJson.rawWhoisText }
        )
    }

    for ($i = 0; $i -lt $whoisJson.nameservers.Count; $i++) {
        $mispObject.Attribute += @{ "type" = "hostname"; "object_relation" = "nameserver-$($i + 1)"; "value" = $whoisJson.nameservers[$i].host.id }
    }

    return $mispObject
}

$whoisJson = mgc security threat-intelligence hosts whois get --host-id contoso.com | ConvertFrom-Json

$mispObject = ConvertTo-MispObject -whoisJson $whoisJson

# Print the MISP object
$mispObject | ConvertTo-Json -Depth 10

Domain Reputation

mgc security threat-intelligence hosts reputation get --host-id contoso.com

Reverse DNS

mgc security threat-intelligence hosts passive-dns-reverse list --host-id contoso.com

View results with JSON Crackin VSCode

Pre-requisites

JSON Crack VSCode Extension

mgc security threat-intelligence hosts whois get --host-id contoso.com > contoso_whois.json; code contoso_whois.json

CTRL + SHIFT + p
menubar: Enable JSON Crack visualization
ENTER

Search Threat Intel Articles

Search articles for a keyword, provide a count and only return the article ID and Title.

mgc security threat-intelligence articles list --select title --search "Confluence" --count "true"

Return the results as table

mgc security threat-intelligence articles list --search "Confluence" --count "true" --output TABLE

List indicators for a Threat Intel Article

mgc security threat-intelligence articles indicators list --article-id <id>

Render a Threat Intel Article as Markdown in the terminal (PowerShell)

$articleObject = mgc security threat-intelligence articles get --article-id "<id>" | ConvertFrom-Json
$articleObject.body.content | Show-Markdown

M365 Defender

Login and configure M365D Scope

mgc login --strategy DeviceCode --scopes ThreatHunting.Read.All

Run an Advanced Hunting Query

mgc security microsoft-graph-security-run-hunting-query post --body '{"Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2"}'

Run an Advanced Hunting Query from the Microsoft Sentinel Github Repo

Import-Module powershell-yaml

$jsonObject = ConvertTo-Json -InputObject @{ Query = (ConvertFrom-Yaml (Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Hunting%20Queries/Microsoft%20365%20Defender/Troubleshooting/Connectivity%20Failures%20by%20Device.yaml")).query }

mgc security microsoft-graph-security-run-hunting-query post --body $jsonObject

or save the results as a PSCustom Object

$result = mgc security microsoft-graph-security-run-hunting-query post --body $jsonObject | ConvertFrom-Json
$result.results

MS-Graph-BlueTeam
MS-Graph-BlueTeam copied to clipboard

Metadata

MS-Graph-BlueTeam

MS Graph CLI

Requirements

Microsoft Defender for Threat Intelligence

Login and configure MDTI Scope

Whois

Convert MDTI WHOIS to a MISP Object

Domain Reputation

Reverse DNS

View results with JSON Crackin VSCode

Pre-requisites

Search Threat Intel Articles

List indicators for a Threat Intel Article

Render a Threat Intel Article as Markdown in the terminal (PowerShell)

M365 Defender

Login and configure M365D Scope

Run an Advanced Hunting Query

Run an Advanced Hunting Query from the Microsoft Sentinel Github Repo

← Metadata

Owner

Metadata

MS-Graph-BlueTeam MS-Graph-BlueTeam copied to clipboard

Metadata

MS-Graph-BlueTeam

MS Graph CLI

Requirements

Microsoft Defender for Threat Intelligence

Login and configure MDTI Scope

Whois

Convert MDTI WHOIS to a MISP Object

Domain Reputation

Reverse DNS

View results with JSON Crackin VSCode

Pre-requisites

Search Threat Intel Articles

List indicators for a Threat Intel Article

Render a Threat Intel Article as Markdown in the terminal (PowerShell)

M365 Defender

Login and configure M365D Scope

Run an Advanced Hunting Query

Run an Advanced Hunting Query from the Microsoft Sentinel Github Repo

← Metadata

Owner

Metadata

MS-Graph-BlueTeam
MS-Graph-BlueTeam copied to clipboard