Skip to content
/ MDEIPP Public

A parser for Microsoft Defender for Endpoint (MDE) Investigation Packages.

Notifications You must be signed in to change notification settings

M507/MDEIPP

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MDEIPP - MDE Investigation Package Parser

A modular Python parser for Microsoft Defender for Endpoint (MDE) Investigation Packages. Converts various artifact files (txt, evtx, registry exports) to CSV format with source tracking for Elasticsearch ingestion.

Quick Start

# 1. Install dependency (required for Security Event Log parsing)
pip install python-evtx

# 2. Parse all artifacts
python -m MDEIPP.main /path/to/MDE_Investigation_Package /path/to/output

# 3. Output CSVs will be in /path/to/output/ with artifact_source column for Elastic

Example:

python -m MDEIPP.main ./MDE_Investigation_Package ./output

All output CSVs include an artifact_source column identifying the artifact origin for Elasticsearch ingestion.


Features

  • Modular Architecture: Each artifact type has its own parser module
  • Automatic Encoding Detection: Handles UTF-8, UTF-16, and other encodings automatically
  • Source Tracking: Adds artifact_source column to all outputs for Elasticsearch identification
  • Existing CSV Preservation: CSV files are copied with artifact_source added, preserving original structure

Supported Artifacts

Parser Folder Description Status
Autoruns Autoruns/ Registry autorun entries ✅ Complete
ForensicsCollectionSummary (root) Collection command execution log ✅ Complete
InstalledPrograms Installed Programs/ Programs from registry & CSV ✅ Complete
NetworkConnections Network Connections/ Netstat, ARP, DNS, IPConfig ✅ Complete
PrefetchFiles Prefetch Files/ Prefetch file listings ✅ Complete
Processes Processes/ Running processes CSV ✅ Complete
ScheduledTasks Scheduled Tasks/ Scheduled tasks CSV ✅ Complete
SecurityEventLog Security Event Log/ EVTX & text event logs ✅ Complete
Services Services/ Windows services CSV ✅ Complete
SMBSession SMB Session/ SMB session information ✅ Complete
SystemInformation System Information/ System info output ✅ Complete
TempDirectories Temp Directories/ Temp directory listings ✅ Complete
UsersAndGroups Users and Groups/ Local groups & users ✅ Complete
WdSupportLogs WdSupportLogs/ Windows Defender logs ✅ Complete

Installation

# Clone or copy the MDEIPP folder to your project

# Optional: Install EVTX parsing support
pip install python-evtx

Usage

Command Line

# Parse entire MDE Investigation Package
python -m MDEIPP.main /path/to/MDE_Investigation_Package /path/to/output

# Parse specific artifact only
python -m MDEIPP.main /path/to/MDE_Investigation_Package /path/to/output --parser autoruns

# List available parsers
python -m MDEIPP.main --list-parsers

# Get JSON output
python -m MDEIPP.main /path/to/MDE_Investigation_Package /path/to/output --json

Python API

from pathlib import Path
from MDEIPP.main import MDEIPPRunner

# Initialize runner
runner = MDEIPPRunner(
    source_path=Path("/path/to/MDE_Investigation_Package"),
    output_path=Path("/path/to/output")
)

# Run all parsers
results = runner.run_all()

# Run specific parser
results = runner.run_parser("autoruns")

Output

Each parser produces CSV files with an artifact_source column for Elasticsearch identification:

artifact_source,property_name,property_value
SystemInformation,Host Name,SERVER01
SystemInformation,OS Name,Microsoft Windows Server 2019 Standard

Output Files

File Source Artifact
ActiveNetConnections.csv Network Connections
Arp.csv Network Connections
Autoruns.csv Autoruns
DnsCache.csv Network Connections
Forensics Collection Summary.csv Forensics Collection Summary
InstalledPrograms.csv Installed Programs
InstalledPrograms_Registry.csv Installed Programs
IpConfig.csv Network Connections
LocalGroups.csv Users and Groups
MpCmdRunLog.csv WdSupportLogs
PrefetchFiles.csv Prefetch Files
Processes.csv Processes
ScheduledTasks.csv Scheduled Tasks
Services.csv Services
SMBSession.csv SMB Session
SystemInformation.csv System Information
TempDirectories.csv Temp Directories

Testing

# Run test suite
python -m MDEIPP.tests.test_all_modules /path/to/MDE_Investigation_Package /path/to/output

Project Structure

MDEIPP/
├── __init__.py          # Package initialization
├── core.py              # Base classes, models, utilities
├── main.py              # Main orchestrator & CLI
├── requirements.txt     # Dependencies
├── README.md            # This file
├── parsers/
│   ├── __init__.py
│   ├── autoruns.py
│   ├── installed_programs.py
│   ├── network_connections.py
│   ├── prefetch_files.py
│   ├── processes.py
│   ├── scheduled_tasks.py
│   ├── security_event_log.py
│   ├── services.py
│   ├── smb_session.py
│   ├── system_information.py
│   ├── temp_directories.py
│   ├── users_and_groups.py
│   └── wdsupportlogs.py
├── tests/
│   ├── __init__.py
│   └── test_all_modules.py
└── output/              # Default output directory

Adding New Parsers

  1. Create a new file in parsers/ (e.g., new_artifact.py)
  2. Inherit from BaseParser in core.py
  3. Implement artifact_name, folder_name, and parse() method
  4. Add import and registration in parsers/__init__.py
  5. Add to ALL_PARSERS list in main.py

Example:

from ..core import BaseParser, ParsedRecord

class NewArtifactParser(BaseParser):
    @property
    def artifact_name(self) -> str:
        return "NewArtifact"
    
    @property
    def folder_name(self) -> str:
        return "New Artifact Folder"
    
    def parse(self) -> List[ParsedRecord]:
        # Implement parsing logic
        records = []
        # ... parse files ...
        self.write_csv(records, "NewArtifact.csv")
        return records

License

MIT License

About

A parser for Microsoft Defender for Endpoint (MDE) Investigation Packages.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages