Azure-Sentinel/Playbooks/Restrict-MDATPFileHash
dicolanl 2af80cf7eb
Restrict-MDATPFileHash (#653)
2020-05-07 13:48:49 -07:00
..
azuredeploy.json Restrict-MDATPFileHash (#653) 2020-05-07 13:48:49 -07:00
readme.md Restrict-MDATPFileHash (#653) 2020-05-07 13:48:49 -07:00

readme.md

Restrict-MDATPFileHash

author: Nicholas DiCola

This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDATP for 90 days.

Additional Post Install Notes:

The Logic App creates and uses a Managed System Identity (MSI) to authenticate and authorize against api.securitycenter.windows.com to update threat indicators.

The MSI must be assigned API Permissions 'Ti.ReadWrite' to WindowsDefenderATP App. To assign use PowerShell and AzureAD Module. Run the following commands:

msi = Get-AzureADServicePrincipal | ?{.DisplayName -ieq "Restrict-MDATPUrl"} $graph = Get-AzureADServicePrincipal -Filter "AppId eq 'fc780465-2017-40d4-a0c5-307022471b92'" roles = $graph.AppRoles | ?{.Value -imatch "Ti.ReadWrite" }

Foreach ($role in $roles){ New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId }