check-msdefender 1.1.0__py3-none-any.whl → 1.1.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {check_msdefender-1.1.0.dist-info → check_msdefender-1.1.1.dist-info}/METADATA +37 -2
- {check_msdefender-1.1.0.dist-info → check_msdefender-1.1.1.dist-info}/RECORD +6 -6
- {check_msdefender-1.1.0.dist-info → check_msdefender-1.1.1.dist-info}/WHEEL +0 -0
- {check_msdefender-1.1.0.dist-info → check_msdefender-1.1.1.dist-info}/entry_points.txt +0 -0
- {check_msdefender-1.1.0.dist-info → check_msdefender-1.1.1.dist-info}/licenses/LICENSE +0 -0
- {check_msdefender-1.1.0.dist-info → check_msdefender-1.1.1.dist-info}/top_level.txt +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: check-msdefender
|
|
3
|
-
Version: 1.1.
|
|
3
|
+
Version: 1.1.1
|
|
4
4
|
Summary: A Nagios plugin for monitoring Microsoft Defender API endpoints
|
|
5
5
|
Author-email: ldvchosal <ldvchosal@github.com>
|
|
6
6
|
License: MIT
|
|
@@ -46,7 +46,7 @@ A comprehensive **Nagios plugin** for monitoring Microsoft Defender for Endpoint
|
|
|
46
46
|
## ✨ Features
|
|
47
47
|
|
|
48
48
|
- 🔐 **Dual Authentication** - Support for Client Secret and Certificate-based authentication
|
|
49
|
-
- 🎯 **Multiple Endpoints** - Monitor onboarding status, last seen, vulnerabilities, and machine details
|
|
49
|
+
- 🎯 **Multiple Endpoints** - Monitor onboarding status, last seen, vulnerabilities, alerts, and machine details
|
|
50
50
|
- 📊 **Nagios Compatible** - Standard exit codes and performance data output
|
|
51
51
|
- 🏗️ **Clean Architecture** - Modular design with testable components
|
|
52
52
|
- 🔧 **Flexible Configuration** - File-based configuration with sensible defaults
|
|
@@ -78,6 +78,9 @@ check_msdefender lastseen -d machine.domain.tld -W 7 -C 30
|
|
|
78
78
|
# Check vulnerabilities
|
|
79
79
|
check_msdefender vulnerabilities -d machine.domain.tld -W 10 -C 100
|
|
80
80
|
|
|
81
|
+
# Check alerts
|
|
82
|
+
check_msdefender alerts -d machine.domain.tld -W 1 -C 5
|
|
83
|
+
|
|
81
84
|
# List all machines
|
|
82
85
|
check_msdefender machines
|
|
83
86
|
|
|
@@ -92,6 +95,7 @@ check_msdefender detail -d machine.domain.tld
|
|
|
92
95
|
| `onboarding` | Check machine onboarding status | W:1, C:2 |
|
|
93
96
|
| `lastseen` | Days since machine last seen | W:7, C:30 |
|
|
94
97
|
| `vulnerabilities` | Vulnerability score calculation | W:10, C:100 |
|
|
98
|
+
| `alerts` | Count of unresolved alerts | W:1, C:0 |
|
|
95
99
|
| `machines` | List all machines | W:10, C:25 |
|
|
96
100
|
| `detail` | Get detailed machine information | - |
|
|
97
101
|
|
|
@@ -103,6 +107,14 @@ The vulnerability score is calculated as:
|
|
|
103
107
|
- **Medium vulnerabilities** × 5
|
|
104
108
|
- **Low vulnerabilities** × 1
|
|
105
109
|
|
|
110
|
+
### Alert Monitoring
|
|
111
|
+
|
|
112
|
+
The alerts command monitors unresolved security alerts for a machine:
|
|
113
|
+
- **Counts only unresolved alerts** (status ≠ "Resolved")
|
|
114
|
+
- **Excludes informational alerts** when critical/warning alerts exist
|
|
115
|
+
- **Shows alert details** including creation time, title, and severity
|
|
116
|
+
- **Default thresholds**: Warning at 1 alert, Critical at 0 (meaning any alert triggers warning)
|
|
117
|
+
|
|
106
118
|
### Onboarding Status Values
|
|
107
119
|
|
|
108
120
|
- `0` - Onboarded ✅
|
|
@@ -145,6 +157,7 @@ timeout = 5
|
|
|
145
157
|
- `Machine.Read.All`
|
|
146
158
|
- `Vulnerability.Read`
|
|
147
159
|
- `Vulnerability.Read.All`
|
|
160
|
+
- `Alert.Read.All`
|
|
148
161
|
3. **Create Authentication** (Secret or Certificate)
|
|
149
162
|
4. **Note Credentials** (Client ID, Tenant ID, Secret/Certificate)
|
|
150
163
|
|
|
@@ -182,6 +195,11 @@ define command {
|
|
|
182
195
|
command_name check_defender_vulnerabilities
|
|
183
196
|
command_line $USER1$/check_msdefender/bin/check_msdefender vulnerabilities -d $HOSTALIAS$ -W 10 -C 100
|
|
184
197
|
}
|
|
198
|
+
|
|
199
|
+
define command {
|
|
200
|
+
command_name check_defender_alerts
|
|
201
|
+
command_line $USER1$/check_msdefender/bin/check_msdefender alerts -d $HOSTALIAS$ -W 1 -C 5
|
|
202
|
+
}
|
|
185
203
|
```
|
|
186
204
|
|
|
187
205
|
### Service Definitions
|
|
@@ -208,6 +226,13 @@ define service {
|
|
|
208
226
|
check_command check_defender_vulnerabilities
|
|
209
227
|
hostgroup_name msdefender
|
|
210
228
|
}
|
|
229
|
+
|
|
230
|
+
define service {
|
|
231
|
+
use generic-service
|
|
232
|
+
service_description DEFENDER_ALERTS
|
|
233
|
+
check_command check_defender_alerts
|
|
234
|
+
hostgroup_name msdefender
|
|
235
|
+
}
|
|
211
236
|
```
|
|
212
237
|
|
|
213
238
|
## 🏗️ Architecture
|
|
@@ -221,6 +246,7 @@ check_msdefender/
|
|
|
221
246
|
│ │ ├── onboarding.py # Onboarding status command
|
|
222
247
|
│ │ ├── lastseen.py # Last seen command
|
|
223
248
|
│ │ ├── vulnerabilities.py # Vulnerabilities command
|
|
249
|
+
│ │ ├── alerts.py # Alerts monitoring command
|
|
224
250
|
│ │ ├── machines.py # List machines command
|
|
225
251
|
│ │ └── detail.py # Machine detail command
|
|
226
252
|
│ ├── decorators.py # Common CLI decorators
|
|
@@ -236,6 +262,7 @@ check_msdefender/
|
|
|
236
262
|
│ ├── onboarding_service.py # Onboarding business logic
|
|
237
263
|
│ ├── lastseen_service.py # Last seen business logic
|
|
238
264
|
│ ├── vulnerabilities_service.py # Vulnerability business logic
|
|
265
|
+
│ ├── alerts_service.py # Alerts monitoring business logic
|
|
239
266
|
│ ├── machines_service.py # Machines business logic
|
|
240
267
|
│ ├── detail_service.py # Detail business logic
|
|
241
268
|
│ └── models.py # Data models
|
|
@@ -317,6 +344,14 @@ DEFENDER WARNING - Last seen: 10 days ago | lastseen=10;7;30;0;
|
|
|
317
344
|
DEFENDER CRITICAL - Vulnerability score: 150 (1 Critical, 5 High) | vulnerabilities=150;10;100;0;
|
|
318
345
|
```
|
|
319
346
|
|
|
347
|
+
### Alerts Warning
|
|
348
|
+
```
|
|
349
|
+
DEFENDER WARNING - Unresolved alerts for machine.domain.com | alerts=2;1;5;0;
|
|
350
|
+
Unresolved alerts for machine.domain.com
|
|
351
|
+
2025-09-14T10:22:14.12Z - Suspicious activity detected (New high)
|
|
352
|
+
2025-09-14T12:00:00.00Z - Malware detection (InProgress medium)
|
|
353
|
+
```
|
|
354
|
+
|
|
320
355
|
## 🔧 Troubleshooting
|
|
321
356
|
|
|
322
357
|
### Common Issues
|
|
@@ -27,9 +27,9 @@ check_msdefender/services/machines_service.py,sha256=5s5BXB4GUMQ8z3rPy32lybp0Dsl
|
|
|
27
27
|
check_msdefender/services/models.py,sha256=8p8UHh86h9TjeYahhu_qCBpfuGGS3tObhtlpYk9kB8I,985
|
|
28
28
|
check_msdefender/services/onboarding_service.py,sha256=RIOsvALCoKV0YqnCHKYRkelSPrO-F-6vNBLlto4MpiI,2686
|
|
29
29
|
check_msdefender/services/vulnerabilities_service.py,sha256=ikD6E-hg7LtvCiTg7cTCqGSTly6Wgtql82NJD81D2n0,6812
|
|
30
|
-
check_msdefender-1.1.
|
|
31
|
-
check_msdefender-1.1.
|
|
32
|
-
check_msdefender-1.1.
|
|
33
|
-
check_msdefender-1.1.
|
|
34
|
-
check_msdefender-1.1.
|
|
35
|
-
check_msdefender-1.1.
|
|
30
|
+
check_msdefender-1.1.1.dist-info/licenses/LICENSE,sha256=kW3DwIsKc9HVYdS4f4tI6sLo-EPqBQbz-WmuvHU4Nak,1065
|
|
31
|
+
check_msdefender-1.1.1.dist-info/METADATA,sha256=Ew5sloXo0tys9KMjetkTtsu35oPa2MYuqL3g0fPFkPw,14074
|
|
32
|
+
check_msdefender-1.1.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
|
|
33
|
+
check_msdefender-1.1.1.dist-info/entry_points.txt,sha256=EMA_qKSvf5dC6yRrajd0W-UgS3C5Ce0o04i3_5A34Cs,63
|
|
34
|
+
check_msdefender-1.1.1.dist-info/top_level.txt,sha256=0XgjD7gBWFImxE44zghS94ZGdonRZlfVEpfspnBnG5A,17
|
|
35
|
+
check_msdefender-1.1.1.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|