Azure-Sentinel/Playbooks/Get-MachineData-EDR-SOAR-Ac...
..
README.md
azuredeploy.json

README.md

Get-MachineData-EDR-SOAR-ActionsOnMachine

author: Kloudynet Technologies

This Playbook is for sending Microsoft Teams notification when an alert is generated by Defender for endpoint. Teams notifications should also include data about:

  • Machine Vulnerabilities
  • Missing KBs
  • Security Recommendations
  • Alerts
  • Software Inventory

Also should be able to perform some actions like:

  • Restrict App Execution
  • Start AV scan

Prerequisites

  1. Defender for Endpoint / MDATP / EDR
  2. Microsoft SharePoint online
  3. Microsoft Teams
  4. Azure AD App registerd with the following permissions under "WindowsDefenderATP"
    • Alert.Read.Add
    • Alert.ReadWrite.All
    • Machine.Read.All
    • Machine.RestrictExecution
    • Machine.Scan
    • SecurityRecommendation.Read.All
    • Software.Read.All
    • Vulnerability.Read.All
  5. Azure Keyvault - To store the App Secret of the Azure AD Application
    • Create a secret called "ClientAppSecret" and store the App Secret of the Azure AD Application

API Connections

API connections for the above mentioned prerequisites are created as a part of ARM template deployment.

Setup

  1. Create an Azure AD App from Azure AD App Registrations
  2. Configure the App API Permissions
    • Refer above permissions mentioned under Prerequisites, point (4)
  3. Generate a client secret for the created Azure AD App and store it in a Azure Keyvault
    • Create a secret called "ClientAppSecret" in the Azure Keyvault and store the App Secret of the Azure AD Application
  4. Deploy the template
    • Give an appropriate name for the Playbook.
    • All the dependent API connections shall automatically be created as a part of the ARM tempate deployment.
  5. Once deployed, open the logic app and authorize and configure API connectors
    • Ensure all functions have been authorized with their appropriate connectors
    • Setup HTTP connector - Provide the Tenant ID, client/app ID of the app you registered
    • Azure Key Vault - Authorize the Azure Key Vault Connector with the Key Vault resource in which the client secret of the Azure AD App (mentioned in 1) is stored
    • SharePoint connection - To store all the reports
    • Teams connection - To send the notification
  6. Select the SharePoint site at the "Create new subfolder under Documents to store all csv files" block of the logic app and select "List or Library" as "Documents"
  7. Make sure to give to same SharePoint site URL given in the above step at the blocks "Create missing KBs csv file", "Create installed software csv file", "Create alerts csv file", "Create recommendation csv file" and "Create vulnerabilities csv file" under the "For each MDATP host - get missing KBs", "For each MDATP host - get software inventory", "For each MDATP host - get alerts", "For each MDATP host - get recommendations" and "For each MDATP host - get vulnerabilities" blocks respectivly.
  8. Also make sure "Create sharing link for the subfolder which contains all csv files" is given the same SharePoint site URL and the Library Name (Documents) in (6)

Deploy to Azure

Deploy to Azure Deploy to Azure Gov

Support

Optionally, you can always reachout to kloudynetklassrooms@kloudynet.com to get further assistance.