33c23ea841
|
||
|---|---|---|
| .. | ||
| azuredeploy.json | ||
| readme.md | ||
readme.md
Restrict-MDATPIpAddress
author: Nicholas DiCola
This playbook will take IP entities and generate alert and block threat indicators for each IP in MDATP for 90 days.
Additional Post Install Notes:
The Logic App creates and uses a Managed System Identity (MSI) to authenticate and authorize against api.securitycenter.windows.com to update threat indicators.
The MSI must be assigned API Permissions 'Ti.ReadWrite' to WindowsDefenderATP App. To assign use PowerShell and AzureAD Module. Run the following commands:
msi = Get-AzureADServicePrincipal | ?{.DisplayName -ieq "Restrict-MDATPUrl"}
$graph = Get-AzureADServicePrincipal -Filter "AppId eq 'fc780465-2017-40d4-a0c5-307022471b92'"
roles = $graph.AppRoles | ?{.Value -imatch "Ti.ReadWrite" }
Foreach ($role in $roles){ New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId }