In [3]:
# helper functions to fetch data from defender APIs

import requests
import json

# Get access token from Microsoft Entra ID
def get_access_token(client_id, client_secret, tenant_id):
    url = f'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token'
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    body = {
        'grant_type': 'client_credentials',
        'client_id': client_id,
        'client_secret': client_secret,
        'scope': 'https://api.securitycenter.microsoft.com/.default'
    }
    response = requests.post(url, headers=headers, data=body)
    response.raise_for_status()
    return response.json().get('access_token')

# Fetch recommendations from Microsoft Defender API
def fetch_defender_software_data(access_token, query_string):
    url = 'https://api.securitycenter.microsoft.com/api/software' + query_string 
    headers = {
        'Authorization': f'Bearer {access_token}',
        'Content-Type': 'application/json'
    }
    response = requests.get(url, headers=headers)
    response.raise_for_status()

    # mock up since my Defender environment does not have data
    # start mockup up 
    if query_string == "":
        return {"value":[{"id":"software-011","name":"microsoft-_-edge","vendor":"Microsoft","weaknesses":467,"publicExploit":1,"activeAlert":0,"exposedMachines":172,"impactScore":2.39947438},{"id":"software-002","name":"microsoft-_-office","vendor":"Microsoft","weaknesses":123,"publicExploit":0,"activeAlert":1,"exposedMachines":50,"impactScore":3.21456789},{"id":"software-003","name":"adobe-_-acrobatreader","vendor":"Adobe","weaknesses":340,"publicExploit":0,"activeAlert":0,"exposedMachines":230,"impactScore":4.12345678},{"id":"software-004","name":"google-_-chrome","vendor":"Google","weaknesses":276,"publicExploit":0,"activeAlert":0,"exposedMachines":190,"impactScore":3.98765432},{"id":"software-005","name":"zoom-_-zoomvideocommunications","vendor":"Zoom Video Communications","weaknesses":150,"publicExploit":0,"activeAlert":0,"exposedMachines":100,"impactScore":2.87654321},{"id":"software-006","name":"slack-_-slacktechnologies","vendor":"Slack Technologies","weaknesses":90,"publicExploit":0,"activeAlert":0,"exposedMachines":80,"impactScore":1.76543210},{"id":"software-007","name":"mozilla-_-firefox","vendor":"Mozilla","weaknesses":230,"publicExploit":0,"activeAlert":0,"exposedMachines":145,"impactScore":3.45678901},{"id":"software-008","name":"autodesk-_-autocad","vendor":"Autodesk","weaknesses":50,"publicExploit":0,"activeAlert":0,"exposedMachines":70,"impactScore":1.23456789},{"id":"software-009","name":"sap-_-sapbusinessone","vendor":"SAP","weaknesses":200,"publicExploit":0,"activeAlert":0,"exposedMachines":120,"impactScore":2.98765432},{"id":"software-010","name":"oracle-_-java","vendor":"Oracle","weaknesses":310,"publicExploit":0,"activeAlert":0,"exposedMachines":210,"impactScore":4.56789012}]}
    elif "machineReferences" in query_string:
        return {"value":[{"id":"7c7e1896fa39efb0a32a2cf421d837af1b9bf762","softwareName": "microsoft-_-edge", "computerDnsName":"dave_desktop","osPlatform":"Windows10","rbacGroupName":"GroupTwo"},{"id":"8a6e28b7fa50efb1b23b3cf532e948bf2c1bf773","softwareName": "microsoft-_-edge", "computerDnsName":"alice_laptop","osPlatform":"Windows11","rbacGroupName":"GroupOne"},{"id":"9b7f39c8fa61efc2c34c4df643f059df3d2cf784","softwareName": "microsoft-_-edge","computerDnsName":"john_tablet","osPlatform":"Windows10","rbacGroupName":"GroupThree"},{"id":"ac8g40d9fa72efd3d45d5ef754g16aeg4e3dg895","softwareName": "microsoft-_-edge","computerDnsName":"maria_mobile","osPlatform":"Windows11","rbacGroupName":"GroupFour"}]}
    elif "vulnerabilities" in query_string:
        return {"value":[{"id":"CVE-2017-0140","name":"CVE-2017-0140","softwareName":"microsoft-_-edge","description":"A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.","severity":"Medium","cvssV3":4.2,"exposedMachines":1,"publishedOn":"2017-03-14T00:00:00Z","updatedOn":"2019-10-03T00:03:00Z","publicExploit":0,"exploitVerified":0,"exploitInKit":0,"exploitTypes":[],"exploitUris":[]},{"id":"CVE-2018-8120","name":"CVE-2018-8120","softwareName":"microsoft-_-edge","description":"A remote code execution vulnerability exists in Microsoft Edge when the browser improperly accesses objects in memory. This vulnerability allows an attacker to execute arbitrary code in the context of the current user.","severity":"Critical","cvssV3":9.0,"exposedMachines":5,"publishedOn":"2018-05-08T00:00:00Z","updatedOn":"2019-10-03T00:03:00Z","publicExploit":1,"exploitVerified":1,"exploitInKit":1,"exploitTypes":["Remote Code Execution"],"exploitUris":["https://example.com/exploit"]},{"id":"CVE-2019-1367","name":"CVE-2019-1367","softwareName":"microsoft-_-edge","description":"A remote code execution vulnerability exists in Microsoft Edge when the browser improperly handles objects in memory.","severity":"Critical","cvssV3":9.0,"exposedMachines":3,"publishedOn":"2019-09-23T00:00:00Z","updatedOn":"2019-10-03T00:03:00Z","publicExploit":1,"exploitVerified":1,"exploitInKit":1,"exploitTypes":["Remote Code Execution"],"exploitUris":["https://example.com/exploit"]},{"id":"CVE-2020-0674","name":"CVE-2020-0674","softwareName":"microsoft-_-edge","description":"A remote code execution vulnerability exists in Microsoft Edge when the browser improperly handles objects in memory.","severity":"Critical","cvssV3":9.0,"exposedMachines":2,"publishedOn":"2020-01-14T00:00:00Z","updatedOn":"2019-10-03T00:03:00Z","publicExploit":1,"exploitVerified":1,"exploitInKit":1,"exploitTypes":["Remote Code Execution"],"exploitUris":["https://example.com/exploit"]}]}
    # end mockup up 
    return response.json()


StatementMeta(, 74c0477a-7bff-446a-b992-068fb355f74b, 5, Finished, Available, Finished)

In [4]:
import pandas as pd

# Replace these variables with your app registration details
client_id = '<your client id>'
client_secret = '<your secret>'
tenant_id = '<your tenant id>'

token = get_access_token(client_id, client_secret, tenant_id)

# See https://learn.microsoft.com/en-us/defender-endpoint/api/software
# example URLs:
#
# https://api.securitycenter.microsoft.com/api/software
# https://api.securitycenter.microsoft.com/api/software/microsoft-_-edge/machineReferences
# https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities


software_list = fetch_defender_software_data(token, "")

# write software to table
print("write software to table")
df = pd.DataFrame(software_list['value'])
df_subset = df[['id', 'name', 'vendor', 'weaknesses', 'publicExploit', 'activeAlert','exposedMachines','impactScore']]
spark_df = spark.createDataFrame(df_subset)
spark_df.write.mode("overwrite").format("delta").saveAsTable("software")

# write software_machine to table
print("write software_machine to table")
for software in software_list["value"]:
    print(software["name"])
    software_machine_list = fetch_defender_software_data(token, "/" + software["name"] + "/machineReferences")
    df = pd.DataFrame(software_machine_list['value'])
    df_subset = df[['id', 'softwareName', 'computerDnsName', 'osPlatform', 'rbacGroupName']]

    spark_df = spark.createDataFrame(df_subset)
    spark_df.write.mode("overwrite").format("delta").saveAsTable("software_machine")

# write software_vulnerability to table
print("write software_vulnerability to table")
for software in software_list["value"]:
    print(software["name"])
    software_vulnerability_list = fetch_defender_software_data(token, "/" + software["name"] + "/vulnerabilities")
    df = pd.DataFrame(software_vulnerability_list['value'])
    df_subset = df[['id', 'name', 'softwareName','severity','cvssV3', 'exposedMachines','publishedOn','updatedOn', 'publicExploit','exploitVerified', 'exploitInKit']]
    spark_df = spark.createDataFrame(df_subset)
    spark_df.write.mode("overwrite").format("delta").saveAsTable("software_vulnerability")

StatementMeta(, 74c0477a-7bff-446a-b992-068fb355f74b, 6, Finished, Available, Finished)

write software to table
write software_machine to table
microsoft-_-edge
microsoft-_-office
adobe-_-acrobatreader
google-_-chrome
zoom-_-zoomvideocommunications
slack-_-slacktechnologies
mozilla-_-firefox
autodesk-_-autocad
sap-_-sapbusinessone
oracle-_-java
write software_vulnerability to table
microsoft-_-edge
microsoft-_-office
adobe-_-acrobatreader
google-_-chrome
zoom-_-zoomvideocommunications
slack-_-slacktechnologies
mozilla-_-firefox
autodesk-_-autocad
sap-_-sapbusinessone
oracle-_-java
