Add windows defender problem detection custom plugin

kubernetes · May 12, 2021 · 767f0c1 · 767f0c1
1 parent 228f0f5
commit 767f0c1
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/config/plugin/windows_defender_problem.ps1 b/config/plugin/windows_defender_problem.ps1
@@ -0,0 +1,15 @@
+# This plugin checks to see if windows defender detects any threats to the node.
+
+$windowsDefenderThreats = Get-MpThreat
+$currentThreatDetected = $false
+
+foreach ($threat in $windowsDefenderThreats) {
+    $currentThreatDetected = $currentThreatDetected -or $threat.IsActive -or $threat.DidThreatExecute
+}
+
+if ($currentThreatDetected) {
+    echo $windowsDefenderThreats
+    exit 1
+} else {
+    exit 0
+}
diff --git a/config/windows-defender-monitor.json b/config/windows-defender-monitor.json
@@ -0,0 +1,21 @@
+{
+    "plugin": "custom",
+    "pluginConfig": {
+      "invoke_interval": "10m",
+      "timeout": "5s",
+      "max_output_length": 80,
+      "concurrency": 3
+    },
+    "source": "windows-defender-custom-plugin-monitor",
+    "metricsReporting": true,
+    "conditions": [],
+    "rules": [
+      {
+        "type": "temporary",
+        "reason": "WindowsDefenderThreatsDetected",
+        "path": "./config/plugin/windows_defender_problem.ps1",
+        "timeout": "3s"
+      }
+    ]
+  }
+