User Profile
blankachu
Copper Contributor
Joined Jul 29, 2020
User Widgets
Recent Discussions
Re: Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered
erlendoyen Go to Analytics and click the alert rule that you want to get alerted on and edit it. The rule type has to be scheduled for you to be able to trigger the playbook. Go to automated response type and select the playbook/logic app that you created and save it. It's kind of confusing but you will have to do it for every alert rule and it doesn't do it for every rule automatically as the logic app suggests.12KViews1like0CommentsRe: Custom rule detection in Advance hunting ATP
moderndesktop You can do something similar to what was done here: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/automated-machine-tagging-in-just-a-few-simple-steps/ba-p/309377. You can simply run a scheduled query to produce a list of systems which are missing the tool and run an isolation action through Microsoft flow or Logic apps. Isolating a system might be a nuclear option since you won't be able to reach it and deploy the app to make it compliant. From what I know, only Defender ATP can reach out to the system after isolation so you can look at installing the application through ATP Live response or creating something like a service now ticket through Logic apps to get someone to deploy the software.1.2KViews0likes1Comment
Recent Blog Articles
No content to show