MS Flow and MS Defender ATP Integration opens the opportunity for many automation scenarios to come. The whole workflow you will see today ensures your security teams are alerted by email at all times about threats across your organization, and they can take actions from within that email whether they are at work, traveling and from their mobile devices.
In this demo, you will learn more about this MS Flow and MS Defender ATP Integration and how to create a Microsoft Flow that
- Detects if a High or Medium severity alert occurs in Microsoft Defender ATP.
- If that happens, start a workflow approval process that sends email to your SOC team to approve the (Isolate Machine) action from within that email.
- Once approved, Microsoft Defender ATP isolates the machine, which helps containing the incident and giving time to your team to investigate the incident.
The Manual Incident Response Today
In my YouTube video, I show step-by-step how to create the Microsoft Flow that helps you take actions from within your email and isolate a compromised machine once infection is found.
Why this is a powerful feature? Well, imagine you are part of the security team, and you are at home in a Saturday evening having good time with your friends and family.
At that time, a person from the HR department working late at night, opens an infected word document that contains malicious macro. The poor user enabled the macro and started a full attack on his machine.
The attack itself is complicated that a normal anti-malware software would not detect. The attack drops a backdoor on the machine, and creates a scheduled task for persistence.
Now the attacker normally would try to move inside the environment and cause further damage, and of course there is no security teams working at this late hour or look at any alerts from a security dashboard.
But wait, Microsoft Defender ATP on that machine detects the zero-day attack and mark the machine with a high risk. Again, you are at home and not looking at the ATP dashboard right now.
Now if you are an expert, you would configure alerting so that you receive an email notification from Microsoft Defender ATP about this attack. You are sitting with your family, and you are looking at that notification email about the attack happening.
You quickly realize that the attacker is now on the move and is planning to compromise other machines and get access to more valuable asset. You know you have to leave your family and go investigate the attack from the Microsoft Defender ATP portal.
But wait, you don’t have your laptop with you, and you have to drive half an hour to reach your home. Perhaps you can call the support team who are working 24/7 and spend sometime on the phone telling them what to do.
MS Flow and MS Defender ATP Integration
Now with the MS Flow and MS Defender ATP Integration, when such attack happens, you receive an email notification from Microsoft flow as part of a workflow approval process. The email title would be something like (MDATP Actions – Approve Machine Isolation)
You can look at the alert details, you can also see links in the email taking you directly to the alert details and the machine page inside Microsoft Defender ATP, so you have that context already there.
You can quickly choose Approve, leave your phone and continue having good time with your friends and family. In the background, Microsoft flow will see your approval action, and will signal Microsoft Defender ATP to perform (Isolate Machine action) as part of Microsoft Defender ATP remediation actions.
By isolating the machine, the machine now can’t talk to any other network resources except the MS Defender ATP services to keep an eye on what the attacker is doing on that machine.
As a security professional, what you did is a remediation step as part of an incident response process. The remediation step makes sure you contained the attack and prevented more damage, giving you and your team more time to investigate the attack later from the Microsoft Defender ATP portal.
Microsoft Flow Step-by-Step
I have published a five minutes video on this MS Flow and MS Defender ATP Integration on my YouTube channel here. Nevertheless, I will put some screenshots about how to create MS Flow and MS Defender ATP Integration flow here.
Keep in mind that you need a paid Microsoft Flow plan for this MS Flow and MS Defender ATP Integration to work, not the free one in order to use the premium connections. You only need one paid flow license assigned to person creating the flow which is the good news here.
I am creating an (automated from blank) flow and then I am using the (Trigger when new WDATP alert occurs). Then I am going to use to actions (Alerts – Get single alert) and (Machines – Get single machine)
The reason why I am using the (Machines – Get single machine) is because the previous (Alerts – Get single alert) action does not populate the machine name as one of the dynamic content available for me to use later to send an email notification with the machine name.
Therefore, with this (Machines – Get single machine) action, I get more information about the infected machine, including the computer name and other information like O.S, which I can use later on in my notification and approval emails.
Next, I will check if the (Alert Alert Servility) value is either High or Medium and then move to the next step.
Now if the previous condition is true, then we are going to start an approval process which prompt the security admin to approve isolating a machine. When the Response is Approve, I am going to Isolate the machine and send a notification email.
Now, here is how I configured the Start and wait for an approval step mentioned above. Note how I construct the Link to Alert and Link to Machine URLs inside the message body.
And here is how I configured the Isolate Machine action and the final notification email.
References
- Microsoft Defender ATP tutorials for beginners
- Learn Microsoft Flow
- Automate response with Defender ATP and Microsoft Flow blog post by Stefan Schörling
You can also check my blog post [Protect Your CEO Machine with Microsoft Flow & Microsoft Defender ATP]
Special Thanks
Special thanks to Stefan Schörling, a fellow MVP for his help in creating this blog post and my YouTube video [MS Flow and MS Defender ATP Integration]. Check out his blog post mentioned in the references section.
Bonus YouTube Video
Learn how to use Microsoft Defender ATP to detect and respond to zero-day attacks.
Featured Posts
You Can Also Become Microsoft MVP
How To Start Your Own Blog – Microsoft MVP Story
Cloud Reference Architecture CRA P1 – Foundation
Azure Bastion Step-by Step Guide
Azure advanced threat protection lateral movement
Get my latest book about Cloud Migration
This book covers a practical approach for adopting and migrating on premises systems and applications to the Public Cloud. Based on a clear migration master plan, it helps companies and enterprises to be prepared for Cloud computing, what and how to successfully migrate or deploy systems on Cloud, preparing your IT organization with a sound Cloud Governance model, Security in the Cloud and how to reach the benefits of Cloud computing by automation and optimizing your cost and workloads..
Get the book here and learn more.
Subscribe to my YouTube Channel
In my YouTube channel, I post videos about cloud security and Microsoft MVPs story to help people understand cloud and cybersecurity in simplified and professional way.
Very informative blog. Thanks!
Does the approach you indicate here work for multiple endpoints that need to be quarantined – for example – if Flow learns of a malicious application (say a ransomware) that needs to be blacklisted across the enterprise, can this be done with a single operation or does one need to do it per-machine?
Thanks for your feedback.
First, this integration between Microsoft Flow and Microsoft Defender ATP is all about automation, so if you put the right criteria in the Microsoft Flow condition, you can Microsoft Flow triggers the isolation of all machines that match the criteria. Although automating the isolation in bulk need an approvals first.
A better way would be using Microsoft Defender ATP advanced hunting to look for the hash for that file (Ransomware) and see which machines are affected to investigate the scope of the attack and incident. Now taking bulk actions currently is not possible unless you use the API to write your code to do so, but I am sure the product group will come with bulk remediation feature very soon.