SOAR - Automatically closing incidents from Microsoft Defender for Office

LeenoldTN - one other idea is to use the HTTP action against the Adv Hunting API to return the KQL results

Variable: String (place KQL here)

HTTP Action: using Managed Identity with api perms (AdvancedQuery.Read.All):

POST: https://api.securitycenter.windows.com/api/advancedqueries/run

{
"Query": @{variables('AdvHuntKQLQuery')}
}

An example of this being used and how to set the MSI with permissions to the Adv Hunt API can be found here: Microsoft-Defender-for-Cloud/Workflow automation/Create-MDEDeviceTagArc at main · Azure/Microsoft-Defender-for-Cloud · GitHub