История

Dennis Pike 4418ad8b71 included fixes for arm template where connector name was wrong		2021-03-09 14:43:46 -05:00
..
azuredeploy.json	included fixes for arm template where connector name was wrong	2021-03-09 14:43:46 -05:00
readme.md	initial playbook work	2021-03-09 11:47:41 -05:00

readme.md

Get-Recipients-EmailMessageID-containing-URL

author: Dennis Pike

Overview

This Playbook queries Microsoft Defender for o365 telemetry data via the Microsoft 365 Defender Advanced Hunting API for all emails that contain URL incident entities and adds a comment to the incident listing the URLs with Recipients and Email Message IDs.

Required Paramaters

Region
Playbook Name
User Name - this is used to pre-populate the username used in the various Azure connections

An Azure AD App registration with required API permissions and secret will needed to provide the following parameters https://docs.microsoft.com/microsoft-365/security/mtp/api-advanced-hunting?view=o365-worldwide

Tenant ID
Client ID
Secret

Necessary configuration steps

Once this Playbooks template is deployed, you will need to go into the Logic App, edit it and click on each of the steps that require an authenticated connection to your tenant and complete the connection process. These steps will have an exclamation point showing that the connection needs to be completed. Make sure to also open the "For each" step which also contains a step that requires an authenticated connection.