Home
Microsoft

MDATP Python automation

 Automate machine isolation with Python script

 

In this blog, we will use Python (!) to automate a response to a high severity alert, by isolating the machine involved.

In a previous blog, we provided a PowerShell script with the same functionality. Due to several requests we want to demonstrate the same with Python as well.

Let’s start

  • Step 1: Add the required permission to your application 
  • Step 2: Download the script and insert your credentials
  • Step 3: Run the script and bask in automation glory

Step 1 - Add the required permission to the application:

If you’ve already created an app, you can skip and move to the “add isolation permissions” section below. If you haven’t, first you need to create one using the instructions described in the first part of the Hello world blog, and then move on to "add isolation permissions".

Please save your Application key, Application ID and Tenant ID while you create your app, you will use them soon (instructions on where to find this are in the blog linked above).

Add isolation permissions:

  • Open Azure portal 
  • Navigate to Azure Active Directory > App registrations 
  • Under All Apps, find and select the application, for example ContosoSIEMConnector 
  • Click on View API Permissions > then Add a permission
  • Select the checkbox for Isolate machine application permission (make sure you have the “read alerts” permission as well). add_perms.png

     

  • Click Save and Grant Permissions
  • Click on Grant admin consent. Make sure that the new permissions have admin consent as seen below (Read all alerts & Isolate machine).admin_consent.png

     

Done! You have successfully added the required permissions to the application.

Step 2: Download the script and insert your credentials

Download the isolation.py file (attached below).

Remember when I asked you to save your Application key, Application ID and Tenant ID from the azure portal? We will now embed them into the script. Paste the values as strings (between a pair of quotation marks) here (line 9):token_args_new.png

This will allow the script to use the API freely, so you won’t have to pass those values every time you run it.

Step 3: Run the script

Open Powershell, go to the directory you saved the script in and run the following command:

Python isolation.py “Comment regarding the isolation” Full

That’s it! You are DONE!

 

The script will print out the MachineID of the isolated machines and the AlertID of the alert that triggered the isolation.

The arguments that are passed to the script are:

Parameter

Type

Description

Comment

String

Comment to associate with the action. Required.

IsolationType

String

Type of the isolation. Allowed values are: 'Full' or 'Selective'. Required.

You can read more about our API in this link

Bonus step: Isolate a single machine using MachineID

This script can also isolate a single machine, you simply need to provide the the ID of this machine. You can find the MachineID in the URL of the machine page in the security center:machineID.png

 

Now, simply run the script, same as before, but pass the MachineID as the first argument as follows:

Python isolation.py 31bf22448170e3df65430b81fff82fbb30285cec “Comment regarding the isolation” Full

The rest of the arguments are the same as above.

You can use this functionality to build more (exciting) automations!

 

As always, we would love to get your thoughts and feedback.

Thanks,

@Itai Zur, program manager, Windows Defender ATP

@Dan Michelson, program manager, Windows Defender ATP

@Haim Goldshtein, security software engineer, Windows Defender ATP

7 Comments
Contributor

This type of automated isolation is available from many other vendors, such as Sophos, already built into their products, without needing any scripting.

 

Why would a company decide to move to WDATP if automatic response isn't natively built into the application?

Microsoft

Thanks Lynn,

 

Auto Response is supported. Moreover, Auto Investigation and response is supported and it is unique.

Read on one of the advanced capabilities of the Auto Investigation and Response.

We recommend to use the API for response automation in many custom actions (e.g. automating cross product actions).

 

Will be happy to assist.

Contributor

Sure. I'm happy to learn how to auto-isolate a machine without applying any other remediation actions.

 

Using only the WDATP dashboard where do I go to setup auto-isolation for a machine, while not allowing any other remediation actions to apply until someone can put eyes on the dashboard to look at the threat? API, Flow, Powershell access or custom other custom solutions should not be required for this to occur.

 

I'm coming from the view of a SMB that has less than 100 computers, and possibly only one IT support person on staff, and that IT person may be at lunch, or the user was on their work laptop, after hours, at a conference 1000 miles away.

 

Reading this, it sounds snarky, but I promise it's not :) I want, very much, to recommend WDATP to companies, but if functionality is reliant on custom API/Powershell usage, I can't do that.

Microsoft

Thanks for the feedback.

 

100 machine customers love Flow.

I recommend to consider it.

 

Would be great if you share a little bit more about the requirements.

are you looking for a solution that will isolate every infected machine? 

Please explain the e2e story with the logic you believe is acceptable.

Customers live the FLOW story as they build a balanced isolation use case that works anytime anywhere. In 5 minutes they created isolation flows where they get notification to their mobile phones. There they can decide with a click if they approve the isolation.

 

waiting for your feedback

Contributor

Requirement: Auto isolation of machine due to a compromise, such as traffic to a suspected C2 server is found.

The SMB is actively looking for a threat protection solution and evaluating them.

 

Scenario: SMB, has between 10 and 100 computers, very small number of tech support staff, not using an MSP for daily monitoring or support. Has a small number of servers, including file servers on-prem that are accessed by VPN.

 

It's well after hours, the IT support tech is sleeping. Another employee is connected to the company network through the VPN.

 

Traffic to a suspected C2 server is then identified on the laptop. 

 

The security application should automatically isolate the laptop, without human intervention, due to the possible malicious traffic.

 

In an enterprise you may or may not take advantage of that type of functionality, but with an SMB, it could be a life saver.

 

Microsoft

Interesting. Thanks.

How would you imagine the experience of a  SMB customer defining the policy for this? I mean, how will they predefine which cases to isolate and which not.

 

I believe the best way to prove the use case  is to prototype with flow. Hundreds of SMB customers doing this. The question is why not to try and if we find a flow  that is voted as valid for many customers we can make it.

 

I'm also taking feedback to be considered in auto IR feature ( I assume you are familiar with it).

 

Thanks again 

Contributor

I'm not familiar with the Auto IR feature request, I may have missed that.

 

The ability to even create a Flow for this would be difficult for many SMB's. I wish that wasn't true, but it is. I'm sure you've heard about the ransomware payouts in Florida; I live an hour away from one of those sites, and I can tell you from experience that InfoSec is the wild west in Florida, if not the entire world. It's a mess because security solutions are either difficult to deploy and manage, they are much too expensive, or the lack of talent or just plain bad management. I'm preaching to the choir here though, I am sure you are familiar with all the reasons why InfoSec practices are as bad as they are.

 

I just feel that Microsoft has a real chance of changing all of that, more than just about any vendor out there, especially in the SMB market.

 

With the machine learning that WDATP has available, what I envision is that the WDATP service would auto-isolate a machine due to the current risk level of either the user or the machine. That is different than what other vendors do now. Other vendor solutions have the ability to isolate a machine if various risks are found, C2 traffic, the firewall was disabled, the engine was disabled. How much that feature is used, I don't know, but for a small shop, I'd rather a machine be auto isolated than risk data loss. Much like MFA, Isolation isn't fool proof, but the benefits well outweigh the limitations.

 

I'm all for Flow, and if Flow is the way that you envision this working, then that Flow needs to be deployed from the MDATP console, not needing to be searched for, and not needing any other configuration. It just needs to be easy. Some of that functionality is also available in Intune, but again, you are heading into the "this is difficult to deploy" category. I know there are some Flows in preview that Microsoft has build for MDATP and Cloud App security, that just need to be extended a bit more. Also with the Unified console in preview, the ability to build all sorts of wonderful things will be available, but not all companies are going to be able to build those Flows. I'm not saying Microsoft needs to build Flows for all situations, but some of the major ones, such as isolation should be. (Yes, there is a flow already built for this, but I only know about it because I searched for it, there is nothing in the MDATP console that says, hey, go here and do this.) Again, certain things just need to be "easy". Also, the more Microsoft develops Flows and makes they easy to find, the more that companies are going to look at them and see how they can use Flow to develop their own solutions :)

 

Due to the complexity, instead of deploying MDATP, a company will probably just go with a third-party solution that gives them most of that functionality fairly easily by just clicking on an option to auto isolate a machine if it's "compromised" in any way.

 

One last thing; I had NO idea that Flow could have been used to isolate a machine until looking at this post and I work on and research security products every day. 

 

I hope you don't feel that I'm being overly critical. I just feel that Microsoft has a real opportunity to change InfoSec practices, and the easier you make it, the more people will move to the MDATP solution.