Today I am going to teach you how to improve your incident response plan and immediately get notified when your CEO machine gets compromised, and take actions to remediate the threat with one click from your mobile, thanks to the MS Flow and MS Defender ATP Integration.
Your CEO is usually traveling and working remotely, and his machine gets infected with zero-day attack, thousands of miles apart from his security team. However, a notification is sent to the security team on their mobile devices about this attack, and with one click from their mobile device, they can remediate the risk and keep your CEO safe from emerging threats.
This is possible today due to the integration between Microsoft Flow & Microsoft Defender ATP. So, let me show you the experience end to end experience from your CEO and your security team perspectives, teach you how to do it, and leave you with good references to learn more.
Your CEO is working remotely while he is traveling while a zero-day attack is taking place on his machine without his knowledge.
Not only does Microsoft defender ATP detect the attack, it also starts an automated investigation trying to identify a suspicious activity on the CEO machine.
It is midnight back home and your security team receives a Microsoft Flow notification, an SMS, and a Microsoft Flow action to respond to the attack.
Clicking on the Microsoft Flow action, your security team can quickly initiate an App Restriction policy from within the Microsoft Flow mobile app, get more details about the threat, or even re-assign the investigation to the night shift security team.
An automated Microsoft Teams message is sent to your service desk with relevant information so that if the CEO calls asking for hep, they already have the required information.
And finally you receive an email with detailed information and an action to approve restricting app execution on your CEO machine. This means your CEO is only allowed to run executables signed from Microsoft only. This gives your security team more time to investigate the attack will preventing the attacker from causing further damage on the machine.
To prevent any confusion, your CEO receives a notification message that his device is restricted.
He can still open Office applications like, Read and responds to business emails and browse the web normally without any interruptions. However, he cannot run any applications not signed by Microsoft, like opening and adobe file.
Your CEO communicates back through Microsoft Teams to your security teams, who advise him to reset his password immediately. In the meantime, your security team is investigating the incident in the Microsoft Defender ATP portal and remove the App Restriction on the CEO machine once incident is closed and the risk is mitigated, allowing your CEO to resume using his machine normally. This is how the Microsoft Flow & Microsoft Defender ATP integration works.
Create the Microsoft Flow: Step-by-Step
Before you start talking about how to achieve the Microsoft Flow & Microsoft Defender ATP integration, make sure you have a paid license for Microsoft Flow and not the free one, in order to use the Microsoft Defender ATP connector which is considered a premium connection that you should pay for.
Now, the good news is that you only need one paid license for Microsoft Flow (5$ per month) that is assigned to the user used to create the Microsoft Flow. For more information about Microsoft plans, check this link.
Now go to Microsoft Flow from your Office 365 home page, and choose [Automated-from blank].
Give your Microsoft Flow a name, search for WDATP and choose the Triggers – Trigger when a new WDATP alert occurs. You need then to sign on with an account with permissions to your Microsoft Defender ATP tenant. If the account you are using to create this flow does not have a paid Microsoft Flow license, you will receive an error here.
Now, add a new step and search for Alerts – Get Single Alert action as shown in the figure below. This is where the Microsoft Flow & Microsoft Defender ATP shines.
In the ID of the alert choose Alert ID from the dynamic content window.
Now add another action by searching for Get Single Machine and pick the Machines – Get single machine and NOT Actions – Ger single machine action.
In the ID of the machine, pick Alert Machine ID from the dynamic content window.
Next, add a new action and pick Condition
Now pick the Machine Computer name from the dynamic content as the value of the condition.
The condition would be is equal to and then type the FDQN of your CEO machine.
Now under (IF YES), add another action of type Condition.
Now you can add any condition you like. It could be if the Alert Title is Suspicious PowerShell Command for example. But let us choose a condition where the Alert Alert Severity is High or Medium.
Which should look like this:
Now we reach a point where we want to decide what we do if the following conditions are met:
- The machine is your CEO machine.
- There is High or Medium alerts on your CEO machine.
And the Microsoft Flow & Microsoft Defender ATP integration makes this possible. We will start by pushing a notification to the SOC team mobile, that they will receive if they have installed the Microsoft Flow mobile application. To do that, add an action Send me a mobile notification.
And fill the details as shown in the below figure.
The next notification we want to use is to send an SMS to wake up couple of people. There are a lot of ways to do that, so start by adding an action and let’s search for Twilio and then pick the Send Text Message (SMS) action. Don’t worry, you can use this service in trial mode just by subscribing for free, and you don’t need to put any payment information. This will let you test this scenario end to end and see how the SMS looks like on your mobile device.
Now go to https://www.twilio.com and create a new account.
Click Skip to dashboard after you finish creating your free account.
You will immediately see in your dashboard two important values. The account SID and the Auth Token. Copy them for future step.
You also need to create a phone number to be used to send the SMS notifications from. To do that, go directly to https://www.twilio.com/user/account/phone-numbers and click Get your first Twilio phone number and then copy the phone number that appears in the screen. That’s it.
Now go back to your Microsoft Flow and fill the information in the Twilio actions as per the following:
- Connection Name: choose any name you want.
- Twilio Account SID: This is the Account SID you got previously.
- Twilio Access Token: this is the Auth Token you got previously.
Now you will be presented with the below box. Fill the following information:
- From Phone Number: This is the one you got from Twilio previously.
- To Phone Number: your mobile number.
- Text: this is the content of the SMS.
Now add another action and search for Microsoft Teams to view all relevant actions. Pick the Post a message (V2) (preview)
Now choose which Microsoft team, which channel inside that team and the message that Microsoft Flow will post to that channel.
Now that we have notified couple of people using a Microsoft Flow mobile notification, SMS and Microsoft Teams message, it is time to start a workflow approval to be sent to you SOC team to approve enabling Microsoft Defender ATP App Restriction on your CEO machine.
To do that, add another action and search for Approval and pick Approvals
This will list all actions for Approvals. Now pick Start and wait for an approval.
Next, choose Approve/Reject – First to respond.
Now in the fill in the details as shown in the figure below:
Here we need to add another condition.
and we want to pick Response from the dynamic content window.
And evaluate if the Response is equal to Approve.
Now under IF YES, Add an action by searching for WDATP and clicking the Windows Defender ATP tile to view all possible actions.
Pick the Actions – Restrict app execution (preview). This is possible thanks to the Microsoft Flow & Microsoft Defender ATP.
Now pick the Alert Machine ID for the Machine ID value.
Add another action by searching for Send Email and choose the Send an email (V2).
And finally fill the details of the email as per the below figure:
More Resources about the Microsoft Flow & Microsoft Defender ATP
- My Microsoft Defender Video Series
- Microsoft Flow & MS Defender ATP Integration blog post
- YouTube video on Microsoft Flow and Microsoft Defender ATP step-by-step
This Blog Post Is Available on YouTube
You can watch this whole Microsoft Flow & Microsoft Defender ATP blog post as a video in my YouTube Channel. Consider subscribing for more videos to come.