Microsoft Defender XDR: fix ARM-TTK hardcoded URI false positives in …#14472
Open
juanjosalco wants to merge 3 commits into
Open
Microsoft Defender XDR: fix ARM-TTK hardcoded URI false positives in …#14472juanjosalco wants to merge 3 commits into
juanjosalco wants to merge 3 commits into
Conversation
…phishing hunting queries Refactor 'Potential OAuth phishing email delivered into Inbox' and 'Possible device code phishing attempts' hunting queries to construct login.microsoftonline.com and login.microsoftonline.us URLs using KQL strcat() instead of string literals. The queries legitimately need to match these URLs at runtime (OAuth consent and device-code phishing patterns), but the literal strings tripped the ARM-TTK 'DeploymentTemplate Must Not Contain Hardcoded Uri' rule on the generated mainTemplate.json. Splitting the host string via strcat() preserves query semantics and clears the linter. Version bumped to 3.0.15; mainTemplate.json and 3.0.15.zip regenerated via createSolutionV3. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR updates two Microsoft Defender XDR hunting queries to reconstruct specific Microsoft login-related URL patterns at runtime (via strcat()), avoiding ARM-TTK “hardcoded URI” false positives in the packaged ARM template, and bumps the solution/package version accordingly.
Changes:
- Refactored two hunting queries to build
login.microsoftonline.*URL patterns usingstrcat()/pack_array()instead of inline literals. - Bumped query versions to
1.0.1and solution version to3.0.15. - Updated release notes for the new solution version.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Solutions/Microsoft Defender XDR/ReleaseNotes.md | Adds a 3.0.15 release note entry describing the query refactor and ARM-TTK impact. |
| Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml | Refactors URL matching list into a pack_array binding and bumps query version. |
| Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml | Refactors OAuth consent URL list construction via strcat() and bumps query version. |
| Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json | Bumps solution version to 3.0.15. |
…gnInEventsBeta beta table); reword 3.0.15 release notes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…BufferOverflow rule Remove the empty 'groupByAlertDetails: []' and 'groupByCustomDetails: []' arrays from PossibleWebpBufferOverflow.yaml. With groupingConfiguration.enabled set to false these fields are unused, and the empty arrays caused ARM-TTK 'Template Should Not Contain Blanks' failures on the regenerated mainTemplate.json. Regenerate mainTemplate.json and 3.0.15.zip; consolidate the 3.0.15 release notes entry to cover both this fix and the existing hardcoded-URI strcat refactor. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
|
Hi @juanjosalco, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refactor Potential OAuth phishing email delivered into Inbox and Possible device code phishing attempts hunting queries in the Microsoft Defender XDR solution to construct login.microsoftonline.com and login.microsoftonline.us URLs using KQL strcat() instead of inline string literals.
The queries legitimately need to match these URLs at runtime (OAuth consent and device-code phishing patterns), but the literal strings tripped the ARM-TTK DeploymentTemplate Must Not Contain Hardcoded Uri rule on the generated mainTemplate.json. Splitting the host string via strcat() preserves query semantics and clears the linter.
Version bumped to 3.0.15; mainTemplate.json and 3.0.15.zip regenerated via createSolutionV3.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: