Select Page

MS Flow and MS Defender ATP Integration

Advertisement

MS Flow and MS Defender ATP Integration opens the opportunity for many automation scenarios to come. The whole workflow you will see today ensures your security teams are alerted by email at all times about threats across your organization, and they can take actions from within that email whether they are at work, traveling and from their mobile devices.

In this demo, you will learn more about this MS Flow and MS Defender ATP Integration and how to create a Microsoft Flow that

  • Detects if a High or Medium severity alert occurs in Microsoft Defender ATP.
  • If that happens, start a workflow approval process that sends email to your SOC team to approve the (Isolate Machine) action from within that email.
  • Once approved, Microsoft Defender ATP isolates the machine, which helps containing the incident and giving time to your team to investigate the incident.

The Manual Incident Response Today

In my YouTube video, I show step-by-step how to create the Microsoft Flow that helps you take actions from within your email and isolate a compromised machine once infection is found.

Why this is a powerful feature? Well, imagine you are part of the security team, and you are at home in a Saturday evening having good time with your friends and family.

At that time, a person from the HR department working late at night, opens an infected word document that contains malicious macro. The poor user enabled the macro and started a full attack on his machine.

The attack itself is complicated that a normal anti-malware software would not detect. The attack drops a backdoor on the machine, and creates a scheduled task for persistence.

Now the attacker normally would try to move inside the environment and cause further damage, and of course there is no security teams working at this late hour or look at any alerts from a security dashboard.

But wait, Microsoft Defender ATP on that machine detects the zero-day attack and mark the machine with a high risk. Again, you are at home and not looking at the ATP dashboard right now.

MS Flow and MS Defender ATP Integration 4

Now if you are an expert, you would configure alerting so that you receive an email notification from Microsoft Defender ATP about this attack. You are sitting with your family, and you are looking at that notification email about the attack happening.

You quickly realize that the attacker is now on the move and is planning to compromise other machines and get access to more valuable asset. You know you have to leave your family and go investigate the attack from the Microsoft Defender ATP portal.

But wait, you don’t have your laptop with you, and you have to drive half an hour to reach your home. Perhaps you can call the support team who are working 24/7 and spend sometime on the phone telling them what to do.

 

MS Flow and MS Defender ATP Integration

Now with the MS Flow and MS Defender ATP Integration, when such attack happens, you receive an email notification from Microsoft flow as part of a workflow approval process. The email title would be something like (MDATP Actions – Approve Machine Isolation)

You can look at the alert details, you can also see links in the email taking you directly to the alert details and the machine page inside Microsoft Defender ATP, so you have that context already there.

You can quickly choose Approve, leave your phone and continue having good time with your friends and family. In the background, Microsoft flow will see your approval action, and will signal Microsoft Defender ATP to perform (Isolate Machine action) as part of Microsoft Defender ATP remediation actions.

By isolating the machine, the machine now can’t talk to any other network resources except the MS Defender ATP services to keep an eye on what the attacker is doing on that machine.

MS Flow and MS Defender ATP Integration

As a security professional, what you did is a remediation step as part of an incident response process. The remediation step makes sure you contained the attack and prevented more damage, giving you and your team more time to investigate the attack later from the Microsoft Defender ATP portal.

Microsoft Flow Step-by-Step

I have published a five minutes video on this MS Flow and MS Defender ATP Integration on my YouTube channel here. Nevertheless, I will put some screenshots about how to create MS Flow and MS Defender ATP Integration flow here.

Keep in mind that you need a paid Microsoft Flow plan for this MS Flow and MS Defender ATP Integration to work, not the free one in order to use the premium connections. You only need one paid flow license assigned to person creating the flow which is the good news here.

I am creating an (automated from blank) flow and then I am using the (Trigger when new WDATP alert occurs). Then I am going to use to actions (Alerts – Get single alert) and (Machines – Get single machine)

The reason why I am using the (Machines – Get single machine) is because the previous (Alerts – Get single alert) action does not populate the machine name as one of the dynamic content available for me to use later to send an email notification with the machine name.

Therefore, with this (Machines – Get single machine) action, I get more information about the infected machine, including the computer name and other information like O.S, which I can use later on in my notification and approval emails.

Next, I will check if the (Alert Alert Servility) value is either High or Medium and then move to the next step.

Now if the previous condition is true, then we are going to start an approval process which prompt the security admin to approve isolating a machine. When the Response is Approve, I am going to Isolate the machine and send a notification email.

Now, here is how I configured the Start and wait for an approval step mentioned above. Note how I construct the Link to Alert and Link to Machine URLs inside the message body.

MS Flow and MS Defender ATP Integration

And here is how I configured the Isolate Machine action and the final notification email.

MS Flow and MS Defender ATP Integration

References

Special Thanks

Special thanks to Stefan Schörling, a fellow MVP for his help in creating this blog post and my YouTube video [MS Flow and MS Defender ATP Integration]. Check out his blog post mentioned in the references section.

Bonus YouTube Video

Learn how to use Microsoft Defender ATP to detect and respond to zero-day attacks.

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger. He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing. His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional. Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

2 Comments

  1. Balaji

    Very informative blog. Thanks!
    Does the approach you indicate here work for multiple endpoints that need to be quarantined – for example – if Flow learns of a malicious application (say a ransomware) that needs to be blacklisted across the enterprise, can this be done with a single operation or does one need to do it per-machine?

    Reply
    • Ammar Hasayen

      Thanks for your feedback.
      First, this integration between Microsoft Flow and Microsoft Defender ATP is all about automation, so if you put the right criteria in the Microsoft Flow condition, you can Microsoft Flow triggers the isolation of all machines that match the criteria. Although automating the isolation in bulk need an approvals first.
      A better way would be using Microsoft Defender ATP advanced hunting to look for the hash for that file (Ransomware) and see which machines are affected to investigate the scope of the attack and incident. Now taking bulk actions currently is not possible unless you use the API to write your code to do so, but I am sure the product group will come with bulk remediation feature very soon.

      Reply

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hi, I’m Ammar Hasayen

Ammar-New-MVP

About Me

Cloud Architect | Cybersecurity | CISSP | Microsoft MVP | Pluralsight Author | Book Author | International Speaker | World Explorer | @ammarhasayen

 

LinkedIn Profile

My Pluralsight Course

Speaking at Microsoft Ignite Dubai

Ammar Hasayen Speaker Ignite

Recent Posts

Be The First To Know

Be The First To Know

Be the first to know about my new YouTube videos and hot blog posts. Don't worry, I will not spam your inbox and even better, you can unsubscribe anytime.

You have Successfully Subscribed!

Pin It on Pinterest