Feb 10 2022 10:36 AM
Hi,
I have a logic app, which is supposed to do (1) an advanced hunting query in defender for endpoint (MDATP), and then based on the result, it should (2) start an automated investigation, and (3) an anti-virus scan on the given machine.
I found this API documentation, but I am not able to give these permissions to an app registration or a managed identity - so how do I go about giving an app registration or a managed identity the required permissions?
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?vie...
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/initiate-autoir-investigat...
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-av-scan?view=o365-worl...
Feb 10 2022 08:36 PM
SolutionFeb 15 2022 08:56 AM
@Larssen92 There's some built-in triggers for Logic Apps that may simplify this instead of interacting with the APIs directly.
In the advanced hunting page of M365 Defender, you can create a detection rule that will generate an alert when your query contains results:
You could then use the built-in Logic App trigger to start the workflow when an alert is received. This trigger supports service principles and managed identities:
For information on how to use a non-interactive account to access the Defender for Endpoint APIs (and also this logic app trigger), the following guide outlines the process: Create an app to access Microsoft Defender for Endpoint without a user | Microsoft Docs
Apr 18 2023 01:02 AM
@nickselvaggio-msft Will this way of setting up the trigger receive all the defender alerts?
I would like to filter out a specific alert which I'm currently doing with a condition element afterwards, but it still seems like the logic app runs every time any new alert is received, I guess it's not possible to get around this in some way to only run it when the wanted alert is received?
Feb 10 2022 08:36 PM
Solution