Azure Sentinel - Run Antivirus Scan (Windows Defender Connector)

%3CLINGO-SUB%20id%3D%22lingo-sub-2183989%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20-%20Run%20Antivirus%20Scan%20(Windows%20Defender%20Connector)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183989%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20managed%20to%20integrate%20the%20run%20antivirus%20scan%20(action)%20into%20my%20azure%20sentinel%20playbook.%20It%20executes%20as%20intended%20without%20any%20error.%20However%2C%20it%20returns%20a%20pending%20status%20when%20triggered%20by%20the%20playbook.%20When%20I%20check%20its%20status%20on%20Windows%20Defender%20security%20portal%20(security.microsoft.com)%2C%20in%20the%20Action%20center%2C%20the%20History%20tab%20shows%20that%20%22Start%20antivirus%20scan%22%20has%20successfully%20completed%20on%20the%20target%20device.%20In%20the%20device's%20page%2C%20the%20'Timeline'%20shows%20that%20'Event%3A%20Windows%20Defender%20Antivirus%20Scan%20has%20cancelled'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20troubleshoot%20what's%20causing%20the%20scan%20to%20be%20cancelled%20when%20triggered%20by%20the%20Azure%20Sentinel%20playbook%3F%20I%20tried%20connecting%20the%20'Run%20Antivirus%20Scan'%20action%20to%20a%20global%20admin%20account%20but%20when%20run%2C%20I%20get%20a%20'forbidden'%20warning.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190146%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20-%20Run%20Antivirus%20Scan%20(Windows%20Defender%20Connector)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190146%22%20slang%3D%22en-US%22%3ECould%20you%20share%20some%20of%20the%20screenshots%20for%20the%20Playbook%20you%20have%20created%3F%3CBR%20%2F%3EIf%20you%20manually%20go%20to%20the%20MDE%20portal%2C%20can%20you%20trigger%20the%20scan%20there%3F%3C%2FLINGO-BODY%3E
New Contributor

Hi all,

 

I have managed to integrate the run antivirus scan (action) into my azure sentinel playbook. It executes as intended without any error. However, it returns a pending status when triggered by the playbook. When I check its status on Windows Defender security portal (security.microsoft.com), in the Action center, the History tab shows that "Start antivirus scan" has successfully completed on the target device. In the device's page, the 'Timeline' shows that 'Event: Windows Defender Antivirus Scan has cancelled'.

 

How do I troubleshoot what's causing the scan to be cancelled when triggered by the Azure Sentinel playbook? I tried connecting the 'Run Antivirus Scan' action to a global admin account but when run, I get a 'forbidden' warning.

 

Thank you.

1 Reply
Could you share some of the screenshots for the Playbook you have created?
If you manually go to the MDE portal, can you trigger the scan there?