Skip to content

[EDR Workflows] Add Microsoft Defender for Endpoint Custom scripts and runscript subactions#223085

Merged
tomsonpl merged 1 commit intoelastic:mainfrom
tomsonpl:mde-connector-subactions
Jun 10, 2025
Merged

[EDR Workflows] Add Microsoft Defender for Endpoint Custom scripts and runscript subactions#223085
tomsonpl merged 1 commit intoelastic:mainfrom
tomsonpl:mde-connector-subactions

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Jun 9, 2025
edited by kibanamachine
Loading

Overview

This PR adds support for custom script execution functionality in the Microsoft Defender Endpoint (MDE) connector, including the ability to run scripts and retrieve custom script libraries.

Connector Integration (microsoft_defender_endpoint.ts)

  • Added runScript() method: Executes live response scripts via Microsoft Defender API
    • Uses /api/machines/{id}/runliveresponse endpoint
    • Supports RunScript command type with ScriptName and Args parameters
    • Handles optional arguments with --noargs fallback
  • Added getLibraryFiles() method: Retrieves custom script library
    • Uses /api/libraryfiles endpoint
    • Returns complete library file metadata including fileName, description, creationTime
  • Enhanced Sub-Action Registration:
    • RUN_SCRIPT sub-action with RunScriptParamsSchema validation
    • GET_LIBRARY_FILES sub-action with empty params schema
  • Updated URL Configuration: Added libraryFiles endpoint to connector URLs

@tomsonpl tomsonpl self-assigned this Jun 9, 2025
@tomsonpl
Copy link
Contributor Author

tomsonpl commented Jun 9, 2025

/ci

@tomsonpl tomsonpl added release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution backport:version Backport to applied version labels v9.1.0 v8.19.0 labels Jun 9, 2025
@tomsonpl tomsonpl mentioned this pull request Jun 9, 2025
Merged
@tomsonpl tomsonpl marked this pull request as ready for review June 9, 2025 08:22
@tomsonpl tomsonpl requested review from a team as code owners June 9, 2025 08:22
@tomsonpl tomsonpl requested review from joeypoon and parkiino June 9, 2025 08:22
@elasticmachine
Copy link
Contributor

elasticmachine commented Jun 9, 2025

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@tomsonpl tomsonpl requested review from ashokaditya and szwarckonrad and removed request for joeypoon and parkiino June 9, 2025 08:22
szwarckonrad
szwarckonrad approved these changes Jun 9, 2025
View reviewed changes
Copy link
Contributor

@szwarckonrad szwarckonrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM!

@tomsonpl
Copy link
Contributor Author

tomsonpl commented Jun 9, 2025

cc: @pmuellr could you take a look ? :) Thanks!

@natasha-moore-elastic
Copy link
Contributor

natasha-moore-elastic commented Jun 9, 2025

Question from a UX perspective: For the Crodwstrike runscript action, the name for the command-line arguments param was CommandLine, and here it's Args. Assuming their usage is the same, is there a reason why the param names don't match? Or are they not used in the same way?

@tomsonpl
Copy link
Contributor Author

tomsonpl commented Jun 9, 2025
edited
Loading

Question from a UX perspective: For the Crodwstrike runscript action, the name for the command-line arguments param was CommandLine, and here it's Args. Assuming their usage is the same, is there a reason why the param names don't match? Or are they not used in the same way?

@natasha-moore-elastic , good observation: we decided to resemble external EDR's arguments, so the customers could potentially just copy paste the command from the other EDR to Elastic.
However, we might adjust it to a common schema in the future.
cc: @raqueltabuyo

pmuellr
pmuellr approved these changes Jun 10, 2025
View reviewed changes
Copy link
Contributor

@pmuellr pmuellr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, left a comment about a response type

x-pack/platform/plugins/shared/stack_connectors/common/microsoft_defender_endpoint/schema.ts

export const GetActionResultsParamsSchema = schema.object({
id: schema.maybe(
schema.oneOf([
Copy link
Contributor

@pmuellr pmuellr Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a user point-of-view, having the result be string | string[] seems unwieldy to deal with. Can we just make this string[]?

Copy link
Contributor Author

@tomsonpl tomsonpl Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Good idea, I'll adjust it as agreed - in a following PR.

@tomsonpl tomsonpl merged commit 17d5854 into elastic:main Jun 10, 2025
22 checks passed
@kibanamachine
Copy link
Contributor

kibanamachine commented Jun 10, 2025

Starting backport for target branches: 8.19

https://github.com/elastic/kibana/actions/runs/15566648724

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Jun 10, 2025
@tomsonpl
[EDR Workflows] Add Microsoft Defender for Endpoint Custom scripts an…
318ed93 
…d runscript subactions (elastic#223085)

(cherry picked from commit 17d5854)
@kibanamachine kibanamachine mentioned this pull request Jun 10, 2025
Merged
@kibanamachine
Copy link
Contributor

kibanamachine commented Jun 10, 2025

💚 All backports created successfully

Status Branch Result
8.19

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Jun 10, 2025
@kibanamachine @tomsonpl
[8.19] [EDR Workflows] Add Microsoft Defender for Endpoint Custom scr…
78ca3c0 
…ipts and runscript subactions (#223085) (#223276)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[EDR Workflows] Add Microsoft Defender for Endpoint Custom scripts
and runscript subactions
(#223085)](#223085)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Tomasz
Ciecierski","email":"tomasz.ciecierski@elastic.co"},"sourceCommit":{"committedDate":"2025-06-10T17:51:30Z","message":"[EDR
Workflows] Add Microsoft Defender for Endpoint Custom scripts and
runscript subactions
(#223085)","sha":"17d58545d96bf62601f53fef33fd48c10f933b21","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend
Workflows","backport:version","v9.1.0","v8.19.0"],"title":"[EDR
Workflows] Add Microsoft Defender for Endpoint Custom scripts and
runscript
subactions","number":223085,"url":"https://github.com/elastic/kibana/pull/223085","mergeCommit":{"message":"[EDR
Workflows] Add Microsoft Defender for Endpoint Custom scripts and
runscript subactions
(#223085)","sha":"17d58545d96bf62601f53fef33fd48c10f933b21"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/223085","number":223085,"mergeCommit":{"message":"[EDR
Workflows] Add Microsoft Defender for Endpoint Custom scripts and
runscript subactions
(#223085)","sha":"17d58545d96bf62601f53fef33fd48c10f933b21"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Tomasz Ciecierski <tomasz.ciecierski@elastic.co>
nickpeihl pushed a commit to nickpeihl/kibana that referenced this pull request Jun 12, 2025
@tomsonpl @nickpeihl
[EDR Workflows] Add Microsoft Defender for Endpoint Custom scripts an…
ce37b0d 
…d runscript subactions (elastic#223085)
iblancof pushed a commit to iblancof/kibana that referenced this pull request Jun 16, 2025
@tomsonpl @iblancof
[EDR Workflows] Add Microsoft Defender for Endpoint Custom scripts an…
650beb2 
…d runscript subactions (elastic#223085)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pmuellr pmuellr pmuellr approved these changes

@szwarckonrad szwarckonrad szwarckonrad approved these changes

@ashokaditya ashokaditya Awaiting requested review from ashokaditya

Assignees

@tomsonpl tomsonpl

Labels

backport:version Backport to applied version labels release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.19.0 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tomsonpl @elasticmachine @natasha-moore-elastic @kibanamachine @pmuellr @szwarckonrad