Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update Restrict-MDEFileHash

This commit is contained in:
dicolanl 2021-06-10 05:24:51 +00:00
Родитель 3ed1abd43c
Коммит afa08e1cb7
9 изменённых файлов: 492 добавлений и 385 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

360
Playbooks/Restrict-MDATPFileHash/azuredeploy.json
Просмотреть файл

@ -1,360 +0,0 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDATP for 90 days.",
"author": "Nicholas DiCola"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Restrict-MDATPFileHash",
"type": "String"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
},
"runAfter": {
},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Condition": {
"actions": {
"Switch": {
"cases": {
"Case": {
"actions": {
"HTTP": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "@{triggerBody()?['ProductName']}",
"description": "@{body('Alert_-_Get_incident')?['properties']?['Title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha1",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{body('Alert_-_Get_incident')?['properties']?['Severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {
},
"type": "Http"
}
},
"case": "SHA1"
},
"Case_2": {
"actions": {
"HTTP_2": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "@{triggerBody()?['ProductName']}",
"description": "@{body('Alert_-_Get_incident')?['properties']?['Title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha256",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{body('Alert_-_Get_incident')?['properties']?['Severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {
},
"type": "Http"
}
},
"case": "SHA256"
}
},
"default": {
"actions": {
}
},
"expression": "@items('For_each')?['Algorithm']",
"runAfter": {
},
"type": "Switch"
}
},
"expression": {
"and": [
{
"equals": [
"@items('For_each')['Type']",
"filehash"
]
}
]
},
"runAfter": {
},
"type": "If"
}
},
"foreach": "@body('Parse_JSON')",
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Foreach"
},
"Parse_JSON": {
"inputs": {
"content": "@triggerBody()?['Entities']",
"schema": {
"items": {
"properties": {
"$id": {
"type": "string"
},
"AadUserId": {
"type": "string"
},
"Account": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"Address": {
"type": "string"
},
"Algorithm": {
"type": "string"
},
"CommandLine": {
"type": "string"
},
"CreatedTimeUtc": {
"type": "string"
},
"CreationTimeUtc": {
"type": "string"
},
"Directory": {
"type": "string"
},
"DnsDomain": {
"type": "string"
},
"ElevationToken": {
"type": "string"
},
"FileHashes": {
"items": {
"properties": {
"$ref": {
"type": "string"
}
},
"required": [
"$ref"
],
"type": "object"
},
"type": "array"
},
"Host": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"HostName": {
"type": "string"
},
"ImageFile": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"IsDomainJoined": {
"type": "boolean"
},
"IsDownloaded": {
"type": "boolean"
},
"IsPe": {
"type": "boolean"
},
"IsValid": {
"type": "boolean"
},
"LastAccessTimeUtc": {
"type": "string"
},
"LastWriteTimeUtc": {
"type": "string"
},
"MachineId": {
"type": "string"
},
"MachineIdType": {
"type": "integer"
},
"NTDomain": {
"type": "string"
},
"Name": {
"type": "string"
},
"ParentProcess": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"ProcessId": {
"type": "string"
},
"Sid": {
"type": "string"
},
"SizeInBytes": {
"type": "integer"
},
"Type": {
"type": "string"
},
"UPNSuffix": {
"type": "string"
},
"Url": {
"type": "string"
},
"Value": {
"type": "string"
}
},
"required": [
"$id",
"Type"
],
"type": "object"
},
"type": "array"
}
},
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ParseJson"
}
},
"contentVersion": "1.0.0.0",
"outputs": {
},
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}
}
}
]
}

25
Playbooks/Restrict-MDATPFileHash/readme.md
Просмотреть файл

@ -1,25 +0,0 @@
# Restrict-MDATPFileHash
author: Nicholas DiCola
This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDATP for 90 days.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDATPFileHash%2Fazuredeploy.json" target="_blank">
<img src="http://azuredeploy.net/deploybutton.png"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDATPFileHash%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
**Additional Post Install Notes:**
The Logic App creates and uses a Managed System Identity (MSI) to authenticate and authorize against api.securitycenter.windows.com to update threat indicators.
The MSI must be assigned API Permissions 'Ti.ReadWrite' to WindowsDefenderATP App. To assign use PowerShell and AzureAD Module. Run the following commands:
$msi = Get-AzureADServicePrincipal | ?{$_.DisplayName -ieq "Restrict-MDATPUrl"}
$graph = Get-AzureADServicePrincipal -Filter "AppId eq 'fc780465-2017-40d4-a0c5-307022471b92'"
$roles = $graph.AppRoles | ?{$_.Value -imatch "Ti.ReadWrite" }
Foreach ($role in $roles){
New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId
}

224
Playbooks/Restrict-MDEFileHash/alert-trigger/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,224 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days.",
"author": "Nicholas DiCola"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Restrict-MDEFileHash",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {},
"type": "ApiConnection"
},
"Entities_-_Get_FileHashes": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/filehash"
},
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>@{items('For_each')?['Value']} was added to MDE Indicators with action: AlertandBlock via playbook.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Switch": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Switch": {
"cases": {
"Case": {
"actions": {
"HTTP": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "Azure Sentinel",
"description": "@{body('Alert_-_Get_incident')?['properties']?['incidentNumber']}-@{body('Alert_-_Get_incident')?['properties']?['title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha1",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{body('Alert_-_Get_incident')?['properties']?['severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {},
"type": "Http"
}
},
"case": "SHA1"
},
"Case_2": {
"actions": {
"HTTP_2": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "Azure Sentinel",
"description": "@{body('Alert_-_Get_incident')?['properties']?['incidentNumber']}-@{body('Alert_-_Get_incident')?['properties']?['title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha256",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{body('Alert_-_Get_incident')?['properties']?['severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {},
"type": "Http"
}
},
"case": "SHA256"
}
},
"default": {
"actions": {}
},
"expression": "@items('For_each')?['Algorithm']",
"runAfter": {},
"type": "Switch"
}
},
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"runAfter": {
"Entities_-_Get_FileHashes": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}

Двоичные данные
Playbooks/Restrict-MDEFileHash/alert-trigger/images/Restrict-MDEFileHash_alert.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

217
Playbooks/Restrict-MDEFileHash/incident-trigger/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,217 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Restrict-MDEFileHash",
"description": "This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days.",
"prerequisites": "You will need to grant Ti.ReadWrite permissions to the managed identity.",
"lastUpdateTime": "2021-06-10T00:00:00.000Z",
"entities": [ "FileHash" ],
"tags": [ "Remediation" ],
"support": {
"kind": "Community"
},
"author": {
"name": "Nicholas DiCola"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Restrict-MDEFileHash",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Entities_-_Get_FileHashes": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/filehash"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{items('For_each')?['Value']} was added to MDE Indicators with action: AlertandBlock via playbook.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Switch": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Switch": {
"cases": {
"Case": {
"actions": {
"HTTP": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "Azure Sentinel",
"description": "@{triggerBody()?['object']?['properties']?['incidentNumber']}-@{triggerBody()?['object']?['properties']?['title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha1",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{triggerBody()?['object']?['properties']?['severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {},
"type": "Http"
}
},
"case": "SHA1"
},
"Case_2": {
"actions": {
"HTTP_2": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "Azure Sentinel",
"description": "@{triggerBody()?['object']?['properties']?['incidentNumber']}-@{triggerBody()?['object']?['properties']?['title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha256",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{triggerBody()?['object']?['properties']?['severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {},
"type": "Http"
}
},
"case": "SHA256"
}
},
"default": {
"actions": {}
},
"expression": "@items('For_each')?['Algorithm']",
"runAfter": {},
"type": "Switch"
}
},
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"runAfter": {
"Entities_-_Get_FileHashes": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}

Двоичные данные
Playbooks/Restrict-MDEFileHash/incident-trigger/images/Restrict-MDEFileHash_incident.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 36 KiB

Двоичные данные
Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 37 KiB

Двоичные данные
Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 36 KiB

51
Playbooks/Restrict-MDEFileHash/readme.md Normal file
Просмотреть файл

@ -0,0 +1,51 @@
# Restrict-MDEFileHash
author: Nicholas DiCola
This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days.
## Quick Deployment
**Deploy with incident trigger** (recommended)
After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEFileHash%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.png"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEFileHash%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEFileHash%2Falert-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.png"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEFileHash%2Falert-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
## Prerequisites
- **For Gov Only** You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api)
- You will need to grant Ti.ReadWrite permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName = "Ti.ReadWrite"
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
```
## Screenshots
**Incident Trigger**<br>
![Incident Trigger](./incident-trigger/images/Restrict-MDEFileHash_incident.png)<br>
**Alert Trigger**<br>
![Alert Trigger](./alert-trigger/images/Restrict-MDEFileHash_alert.png)<br>