[CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string] $ApplicationId, [Parameter(Mandatory = $true)] [string] $TenantId ) function Invoke-IndicatorImport { param ( $Body, $Headers ) #region Import indicators try { $Response = Invoke-RestMethod -Method Post -Headers $Headers -Body $Body -UseBasicParsing -Uri "https://api.securitycenter.microsoft.com/api/indicators/import" foreach ($ReturnValue in $Response.value) { if ($ReturnValue.isFailed) { Write-Warning "Could not import indicator`t $($ReturnValue.indicator) because:`t $($ReturnValue.failureReason)" } else { Write-Output "Successfully imported indicator`t $($ReturnValue.indicator)" } } } catch { Write-Warning "$($($_.Exception).Message)" } #endregion } # Retrieve application secret $AppSecret = Get-AutomationVariable -Name 'AppSecret' #region Connect to Defender for Endpoint service API $body = @{ "resource" = "https://api.securitycenter.windows.com" "client_id" = $ApplicationId "client_secret" = $AppSecret "grant_type" = "client_credentials" } $Response = Invoke-RestMethod -Method Post -Body $body -UseBasicParsing -Uri "https://login.windows.net/$TenantId/oauth2/token" $AccessToken = $Response.access_token $Headers = @{ 'Content-Type' = 'application/json' 'Accept' = 'application/json' 'Authorization' = "Bearer " + $AccessToken } #endregion # Download latest CSV blocklist and filter out offline servers try { $Blocklist = Invoke-RestMethod -Method Get -UseBasicParsing -Uri "https://feodotracker.abuse.ch/downloads/ipblocklist.json" $Blocklist = $Blocklist | Where-Object status -EQ "Online" } catch { throw "Could not download list of indicators - $($($_.Exception).Message)" } # Get current date + 2 hours $ExpirationTime = Get-Date -Format "o" -Date (Get-Date).ToUniversalTime().AddHours(2) #region Generate IoC JSON # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/import-ti-indicators $i = 0 $Indicators = New-Object System.Collections.ArrayList foreach ($BlockIP in $Blocklist) { $Indicators.Add( @{ indicatorValue = "$($BlockIP.ip_address)" indicatorType = "IpAddress" action = "Block" generateAlert = "False" severity = "High" title = "Connection to active C2 server detected" description = "Connection to C2 server based on Feodo Tracker blocklist.`n`nAdditional information:`nMalware type: $($BlockIP.malware)`nFirst seen: $($BlockIP.first_seen)`nLast online date: $($BlockIP.last_online)`nTCP port: $($BlockIP.port)" recommendedActions = "Check machine for any signs of infections" expirationTime = $ExpirationTime }) | Out-Null $i++ if ($i -eq 500) { # Body is limited to 500 indicators per request $BodyJSON = @{ "Indicators" = $Indicators } | ConvertTo-Json Invoke-IndicatorImport -Headers $Headers -Body $BodyJSON # Clear indicators array $Indicators = New-Object System.Collections.ArrayList # Reset counter $i = 0 } } if ( $Indicators.Count -gt 0) { # Submit last batch of indicators $BodyJSON = @{ "Indicators" = $Indicators } | ConvertTo-Json Invoke-IndicatorImport -Headers $Headers -Body $BodyJSON } #endregion