Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update Isolate-MDEMachine 

changed name
added screenshots and folder structure
This commit is contained in:
dicolanl 2021-06-08 23:19:49 +00:00
Родитель fdf8af28be
Коммит e69784a9dc
10 изменённых файлов: 412 добавлений и 68 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Playbooks/Get-MDEInvestigationPackage/incident-trigger/azuredeploy.json
Просмотреть файл

@ -4,7 +4,7 @@
"metadata": { "metadata": {
"title": "Get-ASCRecommendations", "title": "Get-ASCRecommendations",
"description": "This playbook will call the collect invesitgation package in MDE. It will then loop until thats complete, once complete it will add a comment to the incident and post a message in teams with the URL to download the package.", "description": "This playbook will call the collect invesitgation package in MDE. It will then loop until thats complete, once complete it will add a comment to the incident and post a message in teams with the URL to download the package.",
"prerequisites": "1. You will need the Team Id and Chat Id.", "prerequisites": "1. You will need the Team Id and Chat Id. 2. You will need to grant Machine.CollectForensics permissions to the managed identity.",
"lastUpdateTime": "2021-06-03T00:00:00.000Z", "lastUpdateTime": "2021-06-03T00:00:00.000Z",
"entities": [ "Host" ], "entities": [ "Host" ],
"tags": [ "Repsond" ], "tags": [ "Repsond" ],

13
Playbooks/Get-MDEInvestigationPackage/readme.md
Просмотреть файл

@ -32,6 +32,19 @@ After deployment, you can run this playbook manually on an alert or attach it to
## Prerequisites ## Prerequisites
- [This](https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) blog shows some simple methods to get the Team Id. You will need the Team Id and Channel Id. - [This](https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) blog shows some simple methods to get the Team Id. You will need the Team Id and Channel Id.
- You will need to grant Machine.CollectForensics permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName = "Machine.CollectForensics"
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
```
## Screenshots ## Screenshots
**Incident Trigger**<br> **Incident Trigger**<br>

11
Playbooks/Isolate-MDATPMachine/readme.md
Просмотреть файл

@ -1,11 +0,0 @@
# Isolate-MDATPMachine
author: Nicholas DiCola
This playbook will isolate (full) the machine in Microsoft Defender ATP.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDATPMachine%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton""/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDATPMachine%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>

119
Playbooks/Isolate-MDATPMachine/azuredeploy.json → Playbooks/Isolate-MDEMachine/alert-trigger/azuredeploy.json
Просмотреть файл

@ -2,16 +2,12 @@
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0", "contentVersion": "1.0.0.0",
"metadata": { "metadata": {
"comments": "This playbook will isolate (full) the machine in Microsoft Defender ATP.", "comments": "This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.",
"author": "Nicholas DiCola" "author": "Nicholas DiCola"
}, },
"parameters": { "parameters": {
"PlaybookName": { "PlaybookName": {
"defaultValue": "Isolate-MDATPMachine", "defaultValue": "Isolate-MDEMachine",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string" "type": "string"
} }
}, },
@ -26,9 +22,11 @@
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]", "name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]", "location": "[resourceGroup().location]",
"kind": "V1",
"properties": { "properties": {
"displayName": "[parameters('UserName')]", "displayName": "[parameters('PlaybookName')]",
"customParameterValues": {}, "customParameterValues": {},
"parameterValueType": "Alternative",
"api": { "api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
} }
@ -39,9 +37,11 @@
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('MDATPConnectionName')]", "name": "[variables('MDATPConnectionName')]",
"location": "[resourceGroup().location]", "location": "[resourceGroup().location]",
"kind": "V1",
"properties": { "properties": {
"displayName": "[parameters('UserName')]", "displayName": "[parameters('PlaybookName')]",
"customParameterValues": {}, "customParameterValues": {},
"parameterValueType": "Alternative",
"api": { "api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
} }
@ -55,6 +55,9 @@
"tags": { "tags": {
"LogicAppsCategory": "security" "LogicAppsCategory": "security"
}, },
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [ "dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]" "[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]"
@ -64,7 +67,20 @@
"definition": { "definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": { "actions": {
"Alert_-_Get_hosts": { "Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {},
"type": "ApiConnection"
},
"Entities_-_Get_Hosts": {
"inputs": { "inputs": {
"body": "@triggerBody()?['Entities']", "body": "@triggerBody()?['Entities']",
"host": { "host": {
@ -82,25 +98,14 @@
}, },
"type": "ApiConnection" "type": "ApiConnection"
}, },
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": { "For_each": {
"actions": { "actions": {
"Actions_-_Isolate_machine_2": { "Condition": {
"actions": {
"Actions_-_Isolate_machine": {
"inputs": { "inputs": {
"body": { "body": {
"Comment": "Isolated from playbook for Azure Sentinel Incident: @{body('Alert_-_Get_incident')?['properties']?['CaseNumber']} - @{body('Alert_-_Get_incident')?['properties']?['Title']}", "Comment": "Isolated from playbook for Azure Sentinel Incident: @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}",
"IsolationType": "Full" "IsolationType": "Full"
}, },
"host": { "host": {
@ -114,30 +119,68 @@
"runAfter": {}, "runAfter": {},
"type": "ApiConnection" "type": "ApiConnection"
}, },
"Add_comment_to_incident_(V2)_2": { "Add_comment_to_incident_(V3)": {
"inputs": { "inputs": {
"body": { "body": {
"Value": "@{items('For_each')?['HostName']} was isolated in MDATP and the status was @{body('Actions_-_Isolate_machine_2')?['status']}" "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>@{items('For_each')?['HostName']} was isolated in MDE and the status was @{body('Actions_-_Isolate_machine')?['status']}</p>"
}, },
"host": { "host": {
"connection": { "connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']" "name": "@parameters('$connections')['azuresentinel']['connectionId']"
} }
}, },
"method": "put", "method": "post",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}" "path": "/Incidents/Comment"
}, },
"runAfter": { "runAfter": {
"Actions_-_Isolate_machine_2": [ "Actions_-_Isolate_machine": [
"Succeeded" "Succeeded"
] ]
}, },
"type": "ApiConnection" "type": "ApiConnection"
} }
}, },
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']", "else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>@{items('For_each')?['HostName']} does not have MDEDeviceID in the Entities list. &nbsp;It was not isolated.&nbsp;</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['MdatpDeviceId']",
"@null"
]
}
}
]
},
"runAfter": {},
"type": "If"
}
},
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"runAfter": { "runAfter": {
"Alert_-_Get_hosts": [ "Entities_-_Get_Hosts": [
"Succeeded" "Succeeded"
] ]
}, },
@ -175,12 +218,22 @@
"azuresentinel": { "azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]", "connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}, },
"wdatp": { "wdatp": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]",
"connectionName": "[variables('MDATPConnectionName')]", "connectionName": "[variables('MDATPConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
} }
} }
} }

Двоичные данные
Playbooks/Isolate-MDEMachine/alert-trigger/images/Isolate-MDEMachine_alert.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 49 KiB

237
Playbooks/Isolate-MDEMachine/incident-trigger/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,237 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Isolate-MDEMachine",
"description": "This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.",
"prerequisites": "You will need to grant Machine.Isolate permissions to the managed identity.",
"lastUpdateTime": "2021-06-08T00:00:00.000Z",
"entities": [ "Host" ],
"tags": [ "Remediation" ],
"support": {
"kind": "Community"
},
"author": {
"name": "Nicholas DiCola"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Isolate-MDEMachine",
"type": "string"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"MDATPConnectionName": "[concat('wdatp-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MDATPConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Entities_-_Get_Hosts": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Condition": {
"actions": {
"Actions_-_Isolate_machine": {
"inputs": {
"body": {
"Comment": "Isolated from playbook for Azure Sentinel Incident: @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}",
"IsolationType": "Full"
},
"host": {
"connection": {
"name": "@parameters('$connections')['wdatp']['connectionId']"
}
},
"method": "post",
"path": "/api/machines/@{encodeURIComponent(items('For_each')?['MdatpDeviceId'])}/isolate"
},
"runAfter": {},
"type": "ApiConnection"
},
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{items('For_each')?['HostName']} was isolated in MDE and the status was @{body('Actions_-_Isolate_machine')?['status']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Actions_-_Isolate_machine": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{items('For_each')?['HostName']} does not have MDEDeviceID in the Entities list. &nbsp;It was not isolated.&nbsp;</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['MdatpDeviceId']",
"@null"
]
}
}
]
},
"runAfter": {},
"type": "If"
}
},
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"wdatp": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]",
"connectionName": "[variables('MDATPConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}

Двоичные данные
Playbooks/Isolate-MDEMachine/incident-trigger/images/Isolate-MDEMachine_incident.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Playbooks/Isolate-MDEMachine/incident-trigger/images/designerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 45 KiB

Двоичные данные
Playbooks/Isolate-MDEMachine/incident-trigger/images/designerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

52
Playbooks/Isolate-MDEMachine/readme.md Normal file
Просмотреть файл

@ -0,0 +1,52 @@
# Isolate-MDEMachine
author: Nicholas DiCola
This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.
## Quick Deployment
**Deploy with incident trigger** (recommended)
After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Falert-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Falert-trigger%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
## Prerequisites
- You will need to grant Machine.Isolate permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName = "Machine.Isolate"
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
```
## Screenshots
**Incident Trigger**<br>
![Incident Trigger](./incident-trigger/images/Isolate-MDEMachine_incident.png)<br>
**Alert Trigger**<br>
![Alert Trigger](./alert-trigger/images/Isolate-MDEMachine_alert.png)<br>