Forum Discussion

Larssen92's avatar
Larssen92
Brass Contributor
Feb 10, 2022
Solved

Logic App - MDATP permissions

Hi, I have a logic app, which is supposed to do (1) an advanced hunting query in defender for endpoint (MDATP), and then based on the result, it should (2) start an automated investigation, and (3...
  • m_zorich's avatar
    m_zorich
    Feb 10, 2022
    You can add them to an app registration, they are just a little weird to find vs MS Graph permissions.

    On the Add a permission window in Azure AD, select 'APIs my organization uses', then type in WindowsDefenderATP. You should see it listed, select it, then application permissions. Then select the ones you need.

    Guide here too - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide
nickselvaggio-msft's avatar
nickselvaggio-msft
Icon for Microsoft rankMicrosoft
Feb 15, 2022

Larssen92 There's some built-in triggers for Logic Apps that may simplify this instead of interacting with the APIs directly.

 

In the advanced hunting page of M365 Defender, you can create a detection rule that will generate an alert when your query contains results:

 

You could then use the built-in Logic App trigger to start the workflow when an alert is received. This trigger supports service principles and managed identities:

 

For information on how to use a non-interactive account to access the Defender for Endpoint APIs (and also this logic app trigger), the following guide outlines the process: Create an app to access Microsoft Defender for Endpoint without a user | Microsoft Docs