functionality of "Isolate machine using Windows Defender upon a Cloud App Security alert" template

%3CLINGO-SUB%20id%3D%22lingo-sub-2639148%22%20slang%3D%22de-DE%22%3Efunctionality%20of%20%22Isolate%20machine%20using%20Windows%20Defender%20upon%20a%20Cloud%20App%20Security%20alert%22%20template%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2639148%22%20slang%3D%22de-DE%22%3E%3CP%3EHello%20guys%2C%3C%2FP%3E%3CP%3EI%20wanted%20to%20try%20out%20the%20integration%20of%20cloud%20app%20security%20in%20microsoft%20flow%2Fpower%20automate%20and%20wanted%20to%20test%20the%20%22Isolate%20machine%20using%20Windows%20Defender%20upon%20a%20Cloud%20App%20Security%20alert%22%20template.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20template%20doesn't%20work%20because%20the%20ATP%20Advanced%20Hunting%20query%20step%20inside%20the%20flow%20always%20fails.%20So%20I%20tried%20the%20query%20that%20is%20used%20for%20that%20step%20in%20the%20Microsoft%20365%20Security%20Center%20and%20it%20doesn't%20work%20because%20the%20table%20%22LogonEvents%22%20doesn't%20exist%20anymore.%20So%20I%20wanted%20to%20ask%20if%20there%20are%20any%20alternatives%20to%20still%20make%20the%20template%20work.%20I%20tried%20it%20with%20DeviceLogonEvents%20and%20IdentityLogonEvents%20but%20they%20don't%20seem%20to%20support%20the%20same%20features.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESolomon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2639148%22%20slang%3D%22de-DE%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Flow%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello guys,

I wanted to try out the integration of cloud app security in microsoft flow/power automate and wanted to test the "Isolate machine using Windows Defender upon a Cloud App Security alert" template. 

The template doesn't work because the ATP Advanced Hunting query step inside the flow always fails. So I tried the query that is used for that step in the Microsoft 365 Security Center and it doesn't work because the table "LogonEvents" doesn't exist anymore. So I wanted to ask if there are any alternatives to still make the template work. I tried it with DeviceLogonEvents and IdentityLogonEvents but they don't seem to support the same features.

 

Best regards

 

Salomo

0 Replies