Forum Discussion
Logic App - MDATP permissions
- You can add them to an app registration, they are just a little weird to find vs MS Graph permissions.
On the Add a permission window in Azure AD, select 'APIs my organization uses', then type in WindowsDefenderATP. You should see it listed, select it, then application permissions. Then select the ones you need.
Guide here too - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide
MicrosoftLarssen92 There's some built-in triggers for Logic Apps that may simplify this instead of interacting with the APIs directly.
In the advanced hunting page of M365 Defender, you can create a detection rule that will generate an alert when your query contains results:
You could then use the built-in Logic App trigger to start the workflow when an alert is received. This trigger supports service principles and managed identities:
For information on how to use a non-interactive account to access the Defender for Endpoint APIs (and also this logic app trigger), the following guide outlines the process: Create an app to access Microsoft Defender for Endpoint without a user | Microsoft Docs
nickselvaggio-msft Will this way of setting up the trigger receive all the defender alerts?
I would like to filter out a specific alert which I'm currently doing with a condition element afterwards, but it still seems like the logic app runs every time any new alert is received, I guess it's not possible to get around this in some way to only run it when the wanted alert is received?
