SOLVED

Run Microsoft Defender

%3CLINGO-SUB%20id%3D%22lingo-sub-2157853%22%20slang%3D%22en-US%22%3ERun%20Microsoft%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2157853%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20trying%20to%20use%20the%20Playbooks%20to%20automatically%20trigger%20Microsoft%20Defender%20for%20the%20user%20who%20triggered%20the%20alert%20as%20the%20alert%20flags%20for%20Malware.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPOST%20%3CA%20href%3D%22https%3A%2F%2Fapi.securitycenter.microsoft.com%2Fapi%2Fmachines%2F%7Bid%7D%2FrunAntiVirusScan%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapi.securitycenter.microsoft.com%2Fapi%2Fmachines%2F%7Bid%7D%2FrunAntiVirusScan%3C%2FA%3E%26nbsp%3Bis%20the%20API%20for%20it%20but%20i'm%20not%20sure%20what%20%22id%22%20refers%20to%20here%20as%20it%20doesn't%20work%20with%20device%20ID%20(Azure%20AD).%20Does%20anyone%20know%20what%20it%20refers%20to%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2158947%22%20slang%3D%22en-US%22%3ERe%3A%20Run%20Microsoft%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158947%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F975447%22%20target%3D%22_blank%22%3E%40lolaaa%3C%2FA%3E%26nbsp%3BLooks%20like%20you%20can%20get%20the%20machine%20IDs%20by%20making%20the%20call%20on%20this%20page%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fget-machines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EList%20machines%20API%20-%20Windows%20security%20%7C%20Microsoft%20Docs%3C%2FA%3E.%26nbsp%3B%20%26nbsp%3BIt%20will%20return%20JSON%20so%20you%20will%20need%20to%20extract%20the%20needed%20ID%20from%20that%20data.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I have been trying to use the Playbooks to automatically trigger Microsoft Defender for the user who triggered the alert as the alert flags for Malware. 

 

POST https://api.securitycenter.microsoft.com/api/machines/{id}/runAntiVirusScan is the API for it but i'm not sure what "id" refers to here as it doesn't work with device ID (Azure AD). Does anyone know what it refers to?

 

Thanks.

1 Reply
best response confirmed by lolaaa (New Contributor)
Solution

@lolaaa Looks like you can get the machine IDs by making the call on this page: List machines API - Windows security | Microsoft Docs.   It will return JSON so you will need to extract the needed ID from that data.