История

Benjamin Kovacevic 8e55dd9e9e entity trigger playbooks		2022-12-22 15:41:56 +00:00
..
images	entity trigger playbooks	2022-12-22 15:41:56 +00:00
azuredeploy.json	entity trigger playbooks	2022-12-22 15:41:56 +00:00
readme.md	entity trigger playbooks	2022-12-22 15:41:56 +00:00

readme.md

Unisolate-MDE-Machine-entityTrigger

author: Benji Kovacevic

This playbook will unisolate Microsoft Defender for Endpoint (MDE) device using entity trigger.

Prerequisites

None.

Quick Deployment

Post-deployment

Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity.

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName1 = "Machine.Isolate"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

Screenshots

Playbook