...or how simple it is to use the Windows Defender ATP APIs
The new year offers a (somewhat) fresh start, giving us the opportunity to reflect on the past year about the good things, how could we have done better, and how new insights can carry over as resolutions for the coming year. In the world of security operations, particularly triage and prioritization, we might ask ourselves two key questions:
If you answered any of these questions with a “no”, then this blog post is for you! And even if you have answered “yes”, we still recommend you continue reading—it might help you spark some new and innovative ideas.
SOC life in a world of tags
Imagine a world where your machines are all tagged with unique attributes:
With all machines tagged, your SOC analyst can triage alerts more efficiently. Proactive threat hunting can be more focused and can be done with fewer, simpler steps.
All this goodness is now possible with Windows Defender ATP APIs and you certainly don’t need to be a top-notch developer to get this done!
Step 1: Find C-level machines
Let’s identify the machines owned by your CEO and other C-level users.
You can always do this by integrating with an external system that manages your assets. But a simpler way would be to check where your C-level users are active by running the following query on Windows Defender ATP advanced hunting:
| where EventTime > ago(7d)
| where LogonType in ("Interactive", "RemoteInteractive", "CachedInteractive","CachedRemoteInteractive")
| summarize InteractiveLoginCount = count(LogonType) by MachineId, ComputerName, AccountName
| where InteractiveLoginCount > 0
| summarize (InteractiveLoginCount, AccountName) = argmax(InteractiveLoginCount, AccountName) by MachineId, ComputerName
| where AccountName in ("CEO-user", "CFO-user", "CTO-user") // Replace these with values relevant to your org :smiling_face_with_smiling_eyes:
| distinct MachineId
Try running the query to validate it. Once validated, you now have a quick and easy way to identify the C-level machines. Let’s see how we can use this further.
Step 2: Automate machine finding
Create a new flow
Sign in to Microsoft Flow and create a new flow from blank. We will walk you through configuring the flow so that it automatically runs the advanced hunting query and tags the machines returned by the query.
Define the trigger
Use the built-in Recurrence trigger to set the flow to run at regular intervals.
Set the flow to run every Sunday, ensuring new C-level machines are tagged weekly.
Add “Advance Hunting” as the first action
To keep things simple, we’ve provided a dedicated action type for advanced hunting. Add this as the first action of your flow.
Paste the query you have validated in step 1.
Add “Tag Machine” as the second action
For ID of the machine, use dynamic content MachineID as shown below. Specify your preferred tag (in this example, we use “Executive”) and set the action to Add.
Step 3 — Test your flow
Before running a test, ensure your flow has the three steps shown below and click Save.
When ready, simply click Test to trigger the flow. Select I’ll perform the trigger action when prompted.
After running the test, validate whether your tags have been applied. Go to the Windows Defender ATP portal and check for tags on one of your C-level machines.
And we are done!
Let’s summarize what we have learned:
Would you like to share an example or two describing your own experiences applying the Windows Defender ATP APIs?
Don’t be shy. Send us a smiley face feedback via the portal, and we’ll take care of the rest!
Windows Defender ATP team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.