18310804f0
1. Fix lastUpdateTime for the generic template 2. Fixed missing "PlaybookName" parameter for Block-OnPremADUser, 3. Fixed wrong workflow resource name for Run-AzureVMPacketCapture 4. Fixed hard-coded locations in GET-MDEProcessActivityWithin30Min, Get-Recipients-EmailMessageID-containtning-URL, Get-VTURLPositivesComment, Post-Tags-And-Comments-To-Your-Intsights-Account, SpurEnrichment 5. Fix suppport tier for Get-MDE-statistics, IdentityProtection-TeamsBotResponse, QuickStart-SentinelTriggers 6. SecureObject instead of secureobject in Resolve-MCAS 7. dnsresolution instead of DnsResoultion for entities in Restrict-MDEDomain 8. empty entities in SendAZCom |
||
|---|---|---|
| .. | ||
| azuredeploy.json | ||
| readme.md | ||
readme.md
Get-Recipients-EmailMessageID-containing-URL
author: Dennis Pike
Overview
This Playbook queries Microsoft Defender for o365 telemetry data via the Microsoft 365 Defender Advanced Hunting API for all emails that contain URL incident entities and adds a comment to the incident listing the URLs with Recipients and Email Message IDs.
Required Paramaters
- Region
- Playbook Name
- User Name - this is used to pre-populate the username used in the various Azure connections
An Azure AD App registration with required API permissions and secret will needed to provide the following parameters
https://docs.microsoft.com/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide
- Tenant ID
- Client ID
- Secret
Necessary configuration steps
Once this Playbooks template is deployed, you will need to go into the Logic App, edit it and click on each of the steps that require an authenticated connection to your tenant and complete the connection process. These steps will have an exclamation point showing that the connection needs to be completed. Make sure to also open the "For each" step which also contains a step that requires an authenticated connection.