История

Wayne Lee 8abfd9d237 Fixed readme title		2020-04-30 07:29:35 +08:00
..
azuredeploy.json	Reworked playbook, updated README	2020-04-30 07:09:40 +08:00
readme.md	Fixed readme title	2020-04-30 07:29:35 +08:00
report_template.docx	Initial commit for Get-MDATPVulnerabilities playbook	2020-04-28 22:04:04 +08:00

Get-MDATPVulnerabilities

author: Wayne Lee

This playbook will retrieve the list of vulnerabilities from the Microsoft Defender ATP API for the host entity

Setup

Enable Machine.Read.All and Vulnerability.Read.All permissions from the WindowsDefenderATP API

Ensure all functions have been configured with their appropriate connectors
- Azure Sentinel
- Azure Key Vault (Be sure to also select the secret for the App ID we created)
- Microsoft Defender ATP
- Sharepoint Online
- Word Online
Setup HTTP connector
- Provide the client/app ID of the app you registered.
- If you are an MSSP and need to configure the tenant ID, just go under the Parameters section of the playbook and change the default value of tenantId

Set the Location and Document Library of where you stored the Word template. The VulnDetails parameter should automatically be populated with vulnarray.

Set the Site Address and Folder Path. Filename is named after current UTC time followed by the hostname.

Set the Location and Document Library of where the Word file is stored. If you have stored it in the standard Documents library, the expression in File should be able to dynamically retrieve it.

Set the Site Address and Folder Path to export the PDF. Filename has been configured to use the same format as the Word doc

Set Site address and Library name. The default sharing permissions are limited to the people in your organization, with View-only access.

You can customize the comment field under Add comment to incident (V2) to include more details