Forum Discussion

HA13029's avatar
HA13029
Brass Contributor
Feb 03, 2024
Solved

Azure Sentinel - Run Antivirus Scan using Logic App

Hello, I have to integrate antivirus run scan into azure sentinel using playbook (template Run MDE Antivirus - Incident Trigger). According to the prerequisites, I need to grant some permissions us...
microsoft defender for endpoint
playbooks
soar
  • keenanbrooks's avatar
    keenanbrooks
    Feb 03, 2024

    Hey @HA01329.

    So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments.

    My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2.

    This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more!

    (I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway)

    Have a good weekend 🙂

HA13029's avatar
HA13029
Brass Contributor
Feb 03, 2024
Hi,

PS /home/system> Connect-AzureAD
PS /home/system> $MIGuid = '0fff8f4e-xxxx-xxxxx-xxxx-xxxxxxxxxxxx'
PS /home/system> $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
PS /home/system> $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
PS /home/system> $PermissionName = 'Machine.Scan'
PS /home/system> $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'
New-AzureADServiceAppRoleAssignment: A positional parameter cannot be found that accepts argument 'Machine.Scan'.
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All'
New-AzureADServiceAppRoleAssignment: A positional parameter cannot be found that accepts argument 'Machine.Scan'.
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
New-AzureADServiceAppRoleAssignment: Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned already exists on the object
RequestId: 0870e06a-e213-4266-9988-9cca542bf5e3
DateTimeStamp: Sat, 03 Feb 2024 16:11:01 GMT
Details: PropertyName - None, PropertyErrorCode - InvalidUpdate
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed

PS: I run the code twice...

Regards,

HA
keenanbrooks's avatar
keenanbrooks
Brass Contributor
Feb 03, 2024

Hey @HA01329.

So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments.

My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2.

This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more!

(I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway)

Have a good weekend 🙂

  • deepakray4623's avatar
    deepakray4623
    Copper Contributor
    Oct 07, 2024

    HA13029  - I am getting this error; What could be the possible solution?

    What ID do I need to define? I have already defined appid and GUID in the script. 

     

    PS C:\Users\dd> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'
New-AzureADServiceAppRoleAssignment : Cannot bind argument to parameter 'Id' because it is null.

     I appreciate any help you can provide. Thanks In Advance. 

     

     

  • HA13029's avatar
    HA13029
    Brass Contributor
    Feb 05, 2024
    Hi,

    I followed your advices and add one more permissions (Alert.ReadWrite.All) and ... IT WORKS !!
    The Logic app triggers AV scan on the target computer.
    Many thanks for your help !!

    Regards,

    HA


Resources