demisto · noydavidi · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 18, 2024
@@ -145,6 +145,62 @@ class Resources:
     'gcc-high': 'https://login.microsoftonline.us',
 }
 
+MICROSOFT_365_DEFENDER_TYPE = {
+    "Worldwide": "com",
+    "US Geo Proximity": "geo-us",
+    "EU Geo Proximity": "geo-eu",
+    "UK Geo Proximity": "geo-uk",
+    "AU Geo Proximity": "geo-au",
+    "SWA Geo Proximity": "geo-swa",
+    "INA Geo Proximity": "geo-ina",
+    "US GCC": "gcc",
+    "US GCC-High": "gcc-high",
+    "DoD": "dod",
+}
+
+# https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list
+# https://learn.microsoft.com/en-us/defender-xdr/usgov?view=o365-worldwide
+MICROSOFT_365_DEFENDER_API_ENDPOINTS = {
+    "com": "https://api.security.microsoft.com",
+    "geo-us": "https://us.api.security.microsoft.com",
+    "geo-eu": "https://eu.api.security.microsoft.com",
+    "geo-uk": "https://uk.api.security.microsoft.com",
+    "geo-au": "https://au.api.security.microsoft.com",
+    "geo-swa": "https://swa.api.security.microsoft.com",
+    "geo-ina": "https://ina.api.security.microsoft.com",
+    "gcc": "https://api-gcc.security.microsoft.us",
+    "gcc-high": "https://api-gov.security.microsoft.us",
+    "dod": "https://api-gov.security.microsoft.us",
+}
+
+# https://learn.microsoft.com/en-us/defender-xdr/usgov?view=o365-worldwide
+MICROSOFT_365_DEFENDER_TOKEN_RETRIEVAL_ENDPOINTS = {
+    'com': 'https://login.windows.net',
+    'geo-us': 'https://login.windows.net',
+    'geo-eu': 'https://login.windows.net',
+    'geo-uk': 'https://login.windows.net',
+    "geo-au": 'https://login.windows.net',
+    "geo-swa": 'https://login.windows.net',
+    "geo-ina": 'https://login.windows.net',
+    "gcc": "https://login.microsoftonline.com",
+    "gcc-high": "https://login.microsoftonline.us",
+    "dod": "https://login.microsoftonline.us",
+}
+
+MICROSOFT_365_DEFENDER_SCOPES = {
+    'com': "https://security.microsoft.com/mtp",
+    'geo-us': 'https://security.microsoft.com',
+    'geo-eu': 'https://security.microsoft.com',
+    'geo-uk': 'https://security.microsoft.com',
+    "geo-au": 'https://security.microsoft.com',
+    "geo-swa": 'https://security.microsoft.com',
+    "geo-ina": 'https://security.microsoft.com',
+    'gcc': 'https://security.microsoft.com',
+    'gcc-high': 'https://security.microsoft.us',
+    'dod': 'https://security.apps.mil',
+}
+
+
 # Azure Managed Identities
 MANAGED_IDENTITIES_TOKEN_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01'
 MANAGED_IDENTITIES_SYSTEM_ASSIGNED = 'SYSTEM_ASSIGNED'
@@ -636,6 +692,17 @@ def get_azure_cloud(params, integration_name):
     return AZURE_CLOUDS.get(AZURE_CLOUD_NAME_MAPPING.get(azure_cloud_arg), AZURE_WORLDWIDE_CLOUD)  # type: ignore[arg-type]
 
 
+def microsoft_defender_get_base_url(base_url: str, endpoint_type: str) -> str:
+    if endpoint_type == 'Custom':
+        if not base_url:
+            raise DemistoException("Endpoint type is set to 'Custom' but no URL was provided.")
+        url = base_url
+    else:
+        endpoint = MICROSOFT_365_DEFENDER_TYPE.get(endpoint_type, 'com')
+        url = MICROSOFT_365_DEFENDER_API_ENDPOINTS.get(endpoint, 'https://api.security.microsoft.com')
+    return url
+
+
 class MicrosoftClient(BaseClient):
     def __init__(self, tenant_id: str = '',
                  auth_id: str = '',
@@ -1387,15 +1454,22 @@ def _add_info_headers() -> dict[str, str]:
     def device_auth_request(self) -> dict:
         response_json = {}
         try:
+            if self.tenant_id:
+                url = f'{self.azure_ad_endpoint}/{self.tenant_id}/oauth2/v2.0/devicecode'
+            else:
+                url = f'{self.azure_ad_endpoint}/organizations/oauth2/v2.0/devicecode'
             response = requests.post(
-                url=f'{self.azure_ad_endpoint}/organizations/oauth2/v2.0/devicecode',
+                url=url,
                 data={
                     'client_id': self.client_id,
                     'scope': self.scope
                 },
                 verify=self.verify
             )
             if not response.ok:
+                if "National Cloud" in self.error_parser(response):
+                    return_error(f'Error in Microsoft authorization. Status: {response.status_code},'
+                                 f' The tenant is not supported by GCC-High. body: {self.error_parser(response)}')
                 return_error(f'Error in Microsoft authorization. Status: {response.status_code},'
                              f' body: {self.error_parser(response)}')
             response_json = response.json()

diff --git a/Packs/AzureActiveDirectory/ReleaseNotes/1_3_28.md b/Packs/AzureActiveDirectory/ReleaseNotes/1_3_28.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Active Directory Identity Protection  (Deprecated)
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureActiveDirectory/pack_metadata.json b/Packs/AzureActiveDirectory/pack_metadata.json
@@ -3,7 +3,7 @@
     "description": "Deprecated. Use Microsoft Graph Identity and Access instead.",
     "support": "xsoar",
     "hidden": true,
-    "currentVersion": "1.3.27",
+    "currentVersion": "1.3.28",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureCompute/ReleaseNotes/1_2_33.md b/Packs/AzureCompute/ReleaseNotes/1_2_33.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Compute v2
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureCompute/pack_metadata.json b/Packs/AzureCompute/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Compute",
     "description": "Create and Manage Azure Virtual Machines",
     "support": "xsoar",
-    "currentVersion": "1.2.32",
+    "currentVersion": "1.2.33",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureDataExplorer/ReleaseNotes/1_3_7.md b/Packs/AzureDataExplorer/ReleaseNotes/1_3_7.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Data Explorer
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureDataExplorer/pack_metadata.json b/Packs/AzureDataExplorer/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Data Explorer",
     "description": "Use Azure Data Explorer integration to collect and analyze data inside clusters of Azure Data Explorer and manage search queries.",
     "support": "xsoar",
-    "currentVersion": "1.3.6",
+    "currentVersion": "1.3.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureDevOps/ReleaseNotes/1_4_7.md b/Packs/AzureDevOps/ReleaseNotes/1_4_7.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### AzureDevOps
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureDevOps/pack_metadata.json b/Packs/AzureDevOps/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "AzureDevOps",
     "description": "Create and manage Git repositories in Azure DevOps Services.",
     "support": "xsoar",
-    "currentVersion": "1.4.6",
+    "currentVersion": "1.4.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureFirewall/ReleaseNotes/1_2_0.md b/Packs/AzureFirewall/ReleaseNotes/1_2_0.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Firewall
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureFirewall/pack_metadata.json b/Packs/AzureFirewall/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Firewall",
     "description": "Azure Firewall is a cloud-native and intelligent network firewall security service that provides breed threat protection for cloud workloads running in Azure. It's a fully stateful firewall as a service, with built-in high availability and unrestricted cloud scalability. This pack contains an integration with a main goal to manage Azure Firewall security service, and normalization rules for ingesting and modeling Azure Firewall Resource logs.",
     "support": "xsoar",
-    "currentVersion": "1.1.46",
+    "currentVersion": "1.2.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureKeyVault/ReleaseNotes/1_1_50.md b/Packs/AzureKeyVault/ReleaseNotes/1_1_50.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Key Vault
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureKeyVault/pack_metadata.json b/Packs/AzureKeyVault/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Key Vault",
     "description": "Use Key Vault to safeguard and manage cryptographic keys and secrets used by cloud applications and services.",
     "support": "xsoar",
-    "currentVersion": "1.1.49",
+    "currentVersion": "1.1.50",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureKubernetesServices/ReleaseNotes/1_2_5.md b/Packs/AzureKubernetesServices/ReleaseNotes/1_2_5.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Kubernetes Services
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureKubernetesServices/pack_metadata.json b/Packs/AzureKubernetesServices/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Kubernetes Services",
     "description": "Deploy and manage containerized applications with a fully managed Kubernetes service.",
     "support": "xsoar",
-    "currentVersion": "1.2.4",
+    "currentVersion": "1.2.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureLogAnalytics/ReleaseNotes/1_2_0.md b/Packs/AzureLogAnalytics/ReleaseNotes/1_2_0.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Log Analytics
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureLogAnalytics/pack_metadata.json b/Packs/AzureLogAnalytics/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Log Analytics",
     "description": "Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.",
     "support": "xsoar",
-    "currentVersion": "1.1.43",
+    "currentVersion": "1.2.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureNetworkSecurityGroups/ReleaseNotes/1_2_37.md b/Packs/AzureNetworkSecurityGroups/ReleaseNotes/1_2_37.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Network Security Groups
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureNetworkSecurityGroups/pack_metadata.json b/Packs/AzureNetworkSecurityGroups/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Network Security Groups",
     "description": "Azure Network Security Groups are used to filter network traffic to and from Azure resources in an Azure virtual network",
     "support": "xsoar",
-    "currentVersion": "1.2.36",
+    "currentVersion": "1.2.37",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureResourceGraph/ReleaseNotes/1_0_6.md b/Packs/AzureResourceGraph/ReleaseNotes/1_0_6.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Resource Graph
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureResourceGraph/pack_metadata.json b/Packs/AzureResourceGraph/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Resource Graph",
     "description": "Azure Resource Graph is an Azure service designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of resources. This pack is primarily used to allow for executing Azure Resource Graph queries.",
     "support": "xsoar",
-    "currentVersion": "1.0.5",
+    "currentVersion": "1.0.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureRiskyUsers/ReleaseNotes/1_2_0.md b/Packs/AzureRiskyUsers/ReleaseNotes/1_2_0.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Risky Users
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureRiskyUsers/pack_metadata.json b/Packs/AzureRiskyUsers/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Risky Users",
     "description": "Azure Risky Users provides access to all at-risk users and risk detections in Azure AD environment.",
     "support": "xsoar",
-    "currentVersion": "1.1.42",
+    "currentVersion": "1.2.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureSQLManagement/ReleaseNotes/1_2_5.md b/Packs/AzureSQLManagement/ReleaseNotes/1_2_5.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure SQL Management
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureSQLManagement/pack_metadata.json b/Packs/AzureSQLManagement/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure SQL Management",
     "description": "Microsoft Azure SQL Database is a managed cloud database provided as part of Microsoft Azure",
     "support": "xsoar",
-    "currentVersion": "1.2.4",
+    "currentVersion": "1.2.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureSecurityCenter/ReleaseNotes/2_1_0.md b/Packs/AzureSecurityCenter/ReleaseNotes/2_1_0.md
@@ -0,0 +1,9 @@
+#### Integrations
+
+##### Microsoft Defender for Cloud Event Collector
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
+
+##### Microsoft Defender for Cloud
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureSecurityCenter/pack_metadata.json b/Packs/AzureSecurityCenter/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft Defender for Cloud",
     "description": "Unified security management and advanced threat protection across hybrid cloud workloads.",
     "support": "xsoar",
-    "currentVersion": "2.0.35",
+    "currentVersion": "2.1.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureSentinel/ReleaseNotes/1_6_0.md b/Packs/AzureSentinel/ReleaseNotes/1_6_0.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Microsoft Sentinel
+
+Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureSentinel/pack_metadata.json b/Packs/AzureSentinel/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft Sentinel",
     "description": "Microsoft Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.",
     "support": "xsoar",
-    "currentVersion": "1.5.57",
+    "currentVersion": "1.6.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/AzureStorage/ReleaseNotes/1_2_32.md b/Packs/AzureStorage/ReleaseNotes/1_2_32.md
@@ -0,0 +1,5 @@
+#### Integrations
+
+##### Azure Storage Management
+
+- Added support for National Cloud in Microsoft 365 Defender, implemented in the Microsoft API Module.
diff --git a/Packs/AzureStorage/pack_metadata.json b/Packs/AzureStorage/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Storage Management",
     "description": "Deploy and manage storage accounts and blob service properties.",
     "support": "xsoar",
-    "currentVersion": "1.2.31",
+    "currentVersion": "1.2.32",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",