Forum Discussion

Larssen92's avatar
Larssen92
Brass Contributor
Feb 10, 2022

Logic App - MDATP permissions

Hi,

I have a logic app, which is supposed to do (1) an advanced hunting query in defender for endpoint (MDATP), and then based on the result, it should (2) start an automated investigation, and (3) an anti-virus scan on the given machine.

I found this API documentation, but I am not able to give these permissions to an app registration or a managed identity - so how do I go about giving an app registration or a managed identity the required permissions?
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?view=o365-worldwide

 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/initiate-autoir-investigation?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-av-scan?view=o365-worldwide

 

 

  • m_zorich's avatar
    m_zorich
    Iron Contributor
    You can add them to an app registration, they are just a little weird to find vs MS Graph permissions.

    On the Add a permission window in Azure AD, select 'APIs my organization uses', then type in WindowsDefenderATP. You should see it listed, select it, then application permissions. Then select the ones you need.

    Guide here too - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide
  • Larssen92 There's some built-in triggers for Logic Apps that may simplify this instead of interacting with the APIs directly.

     

    In the advanced hunting page of M365 Defender, you can create a detection rule that will generate an alert when your query contains results:

     

    You could then use the built-in Logic App trigger to start the workflow when an alert is received. This trigger supports service principles and managed identities:

     

    For information on how to use a non-interactive account to access the Defender for Endpoint APIs (and also this logic app trigger), the following guide outlines the process: Create an app to access Microsoft Defender for Endpoint without a user | Microsoft Docs

    • antonwestin's avatar
      antonwestin
      Copper Contributor

      nickselvaggio-msft Will this way of setting up the trigger receive all the defender alerts? 

       

      I would like to filter out a specific alert which I'm currently doing with a condition element afterwards, but it still seems like the logic app runs every time any new alert is received, I guess it's not possible to get around this in some way to only run it when the wanted alert is received?

       

Resources