Mar 03 2021 10:57 PM
Hi all,
I have managed to integrate the run antivirus scan (action) into my azure sentinel playbook. It executes as intended without any error. However, it returns a pending status when triggered by the playbook. When I check its status on Windows Defender security portal (security.microsoft.com), in the Action center, the History tab shows that "Start antivirus scan" has successfully completed on the target device. In the device's page, the 'Timeline' shows that 'Event: Windows Defender Antivirus Scan has cancelled'.
How do I troubleshoot what's causing the scan to be cancelled when triggered by the Azure Sentinel playbook? I tried connecting the 'Run Antivirus Scan' action to a global admin account but when run, I get a 'forbidden' warning.
Thank you.
Mar 06 2021 06:27 AM