Forum Discussion
Logic App - MDATP permissions
Hi,
I have a logic app, which is supposed to do (1) an advanced hunting query in defender for endpoint (MDATP), and then based on the result, it should (2) start an automated investigation, and (3) an anti-virus scan on the given machine.
I found this API documentation, but I am not able to give these permissions to an app registration or a managed identity - so how do I go about giving an app registration or a managed identity the required permissions?
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/initiate-autoir-investigation?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-av-scan?view=o365-worldwide
- You can add them to an app registration, they are just a little weird to find vs MS Graph permissions.
On the Add a permission window in Azure AD, select 'APIs my organization uses', then type in WindowsDefenderATP. You should see it listed, select it, then application permissions. Then select the ones you need.
Guide here too - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide
- m_zorichIron ContributorYou can add them to an app registration, they are just a little weird to find vs MS Graph permissions.
On the Add a permission window in Azure AD, select 'APIs my organization uses', then type in WindowsDefenderATP. You should see it listed, select it, then application permissions. Then select the ones you need.
Guide here too - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide - nickselvaggio-msftMicrosoft
Larssen92 There's some built-in triggers for Logic Apps that may simplify this instead of interacting with the APIs directly.
In the advanced hunting page of M365 Defender, you can create a detection rule that will generate an alert when your query contains results:
You could then use the built-in Logic App trigger to start the workflow when an alert is received. This trigger supports service principles and managed identities:
For information on how to use a non-interactive account to access the Defender for Endpoint APIs (and also this logic app trigger), the following guide outlines the process: Create an app to access Microsoft Defender for Endpoint without a user | Microsoft Docs
- antonwestinCopper Contributor
nickselvaggio-msft Will this way of setting up the trigger receive all the defender alerts?
I would like to filter out a specific alert which I'm currently doing with a condition element afterwards, but it still seems like the logic app runs every time any new alert is received, I guess it's not possible to get around this in some way to only run it when the wanted alert is received?