MDATP Python automation
Automate machine isolation with Python script
In this blog, we will use Python (!) to automate a response to a high severity alert, by isolating the machine involved.
In a previous blog, we provided a PowerShell script with the same functionality. Due to several requests we want to demonstrate the same with Python as well.
Let’s start
- Step 1: Add the required permission to your application
- Step 2: Download the script and insert your credentials
- Step 3: Run the script and bask in automation glory
Step 1 - Add the required permission to the application:
If you’ve already created an app, you can skip and move to the “add isolation permissions” section below. If you haven’t, first you need to create one using the instructions described in the first part of the Hello world blog, and then move on to "add isolation permissions".
Please save your Application key, Application ID and Tenant ID while you create your app, you will use them soon (instructions on where to find this are in the blog linked above).
Add isolation permissions:
- Open Azure portal
- Navigate to Azure Active Directory > App registrations
- Under All Apps, find and select the application, for example ContosoSIEMConnector
- Click on View API Permissions > then Add a permission
- Select the checkbox for Isolate machine application permission (make sure you have the “read alerts” permission as well).
- Click Save and Grant Permissions.
- Click on Grant admin consent. Make sure that the new permissions have admin consent as seen below (Read all alerts & Isolate machine).
Done! You have successfully added the required permissions to the application.
Step 2: Download the script and insert your credentials
Download the isolation.py file (attached below).
Remember when I asked you to save your Application key, Application ID and Tenant ID from the azure portal? We will now embed them into the script. Paste the values as strings (between a pair of quotation marks) here (line 9):
This will allow the script to use the API freely, so you won’t have to pass those values every time you run it.
Step 3: Run the script
Open Powershell, go to the directory you saved the script in and run the following command:
Python isolation.py “Comment regarding the isolation” Full
That’s it! You are DONE!
The script will print out the MachineID of the isolated machines and the AlertID of the alert that triggered the isolation.
The arguments that are passed to the script are:
|
Parameter |
Type |
Description |
|
Comment |
String |
Comment to associate with the action. Required. |
|
IsolationType |
String |
Type of the isolation. Allowed values are: 'Full' or 'Selective'. Required. |
You can read more about our API in this link
Bonus step: Isolate a single machine using MachineID
This script can also isolate a single machine, you simply need to provide the the ID of this machine. You can find the MachineID in the URL of the machine page in the security center:
Now, simply run the script, same as before, but pass the MachineID as the first argument as follows:
Python isolation.py 31bf22448170e3df65430b81fff82fbb30285cec “Comment regarding the isolation” Full
The rest of the arguments are the same as above.
You can use this functionality to build more (exciting) automations!
As always, we would love to get your thoughts and feedback.
Thanks,
@Itai Zur, program manager, Windows Defender ATP
@Dan Michelson, program manager, Windows Defender ATP
@Haim Goldshtein, security software engineer, Windows Defender ATP