Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Automate MDATP response with Microsoft Flow

Posted on 22. October 20191. December 2019

I recently met with a customer to discuss their migration from Kaspersky to Microsoft Defender ATP. They also use macmon to query the AV’s database to detect alerts and move affected clients to an isolated VLAN. Although MDATP is capable of handling incidents itself, the customer wanted to retain the capability to auto-isolate machines.

At first, we tried Custom Detection Rules that are now part of Advanced Hunting. Unfortunately, they only run once after creation plus every 24 hours after that without customization at the moment.

So, we had to switch to Microsoft Flow, and a whole new world of possibilities opened up. MDATP and Flow: better together.

Getting started

Create a service account (and protect it)

First, we need a service account to create the connectors to MDATP and Exchange Online (for mail alerts) in Flow. So, it needs an appropriate role and a mail box. Make sure that the account has the appropriate licenses for Flow, email, and security features (Azure AD Premium P2, e.g.).

In this case I used the Azure AD role “security administrator”:

MDATP also supports a more fine-grained delegation model that can be found in the portal under settings > roles:

However, you would also have to link these MDATP roles to an Azure AD group. As often more people can edit those than you might like, I chose Azure AD’s security administrator.

We will not be able to secure the service account with MFA because it has to sign-in unattended. Therefor, it needs a strong password:

In this case, I just auto generated a 64 character password using KeePass. Azure AD now supports up to 255 characters, so you’re free to go even higher.

Next, make sure there are user risk and sign-in risk policies in Azure AD Identity Protection that target the service account. While we are not planning to use MFA on a frequent basis, Microsoft should still be able to protect the account if it is at a certain risk level. I’d recommend “medium and above”. Please also read the note below the next screenshot carefully!

Please note!

It is imaginable that an attacker finds out the name of your service account and tries to DoS it by either signing in from various IP addresses or brute forcing it. These actions might trigger Identity Protection to increase the accounts risk level which would stop Flow from having access to MDATP. Eventually, this would also render every action you define in the workflow useless.

To mitigate this scenario set up all Identity Protection alerts to send emails in such a case.

Connect Flow to MDATP

As the service account is now ready, we can head over to Flow at https://flow.microsoft.com.

Once you have signed with the service account select Connectors on the left panel. There you can search for Defender ATP.

Please note

The Defender ATP connector for Microsoft Flow is a premium connector that has different licensing prerequisites. I will not go into detail about that in this post.

Next, click the connector and select “Triggers” as shown here:

Next, sign-in to MDATP to establish the connection:

The first workflow

The trigger is ready:

The connection is now functional, and you can start creating your workflow by clicking “New step”.

First, you should always start by gathering required information. In this case, all we need are MDATP alert and machine parameters. I also added a condition that lets me filter for different alert severities:

If “Alert Alert severity” matches “High” or “Medium” the condition is set to “true” switching to the “If yes” side on the left.

This is where machine actions and mailing will be processed. For each machine action you have to define “Machine Machine ID” as the “Machine ID” for an action. This is a bit confusing at first. But please keep in mind that we are not accessing all machine IDs, but only those that are linked to an alert we selected in the condition above.

In this case, I put two actions in place: “Isolate machine” and “Restrict app execution”.

Using the “Send an email (V2)” action you can link the mailbox of the service account to Flow which will then send notifications to another address of your choice. You can use all kinds of parameters from the connector to put useful information into it. Computer names, time stamps, and descriptions could be one of the obvious choices.

On the endpoint, network connections will now be blocked …

…and app execution will be restricted:

(No disrespect to Chrome or Google, it was just the first non-Microsoft app that came to my mind 🙂 )

Other interesting examples

Of course, this scenario was very simple. There are many other use cases you could cover with Microsoft Flow, e.g.:

  • Use Microsoft Cloud App Security as a trigger instead of Defender ATP
  • Implement approvals for automatic action, there is built-in module for that: “Start and wait for an approval”
  • Trigger antivirus scans
  • Collect an investigation package
  • Run a custom Advanced Hunting query and use the output for other actions
  • Create a new alert
  • Automatically collect Advanced Hunting data, e.g. in order to monitor your Application Control or USB device policies
  • Allow users to remove isolation and app restrictions via mail after MDATP cleaned up the device successfully.
  • Export relevant data to an external file or system (MDATP only retains data for 180 days maximum)
  • Or do whatever you like in the tenant by connecting Graph API.

I hope I could give you a first impression about the vast capabilities of Microsoft Flow. However, please always follow best practices to secure all accounts you use for Flow connectors. They often are highly privileged and could be abused to damage or delete all kinds of entities.

Thanks for reading!

Chris

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT