Automate response with Defender ATP and Microsoft Flow

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

  • Start by browsing to https://flow.microsoft.com and create a new flow
  • Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.


We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content

Actions

Pro tips:

  • Use get alert to be able to add more dynamic content to use in subsequent steps
  • Use get machine to be able to get more information like IP, Computername etc
  • Start building your automated playbooks. This will save you time

9 Comments

  1. Jörgen Gröhn

    Looks so easy, but still needs trained and skilled persons such as Stefan or Matte Borg.

    Reply
  2. Mike

    I tried this and it prompts me for Flow pricing. WTH? This is a Microsoft service so it shouldnt need additional costs for use. We have E5 licensing as well.

    Reply
    1. Security Labs (Post author)

      Yep, a new pricing plan for flow which you can see here (I guess you’ve already seen it)

      https://flow.microsoft.com/en-us/pricing/

      Reply
  3. Pingback: MS Flow and MS Defender ATP Integration | Ammar Hasayen

  4. Amar

    I tried this with Security Administrator role and I get a message “Need admin approval
    Windows Defender ATP for Flow
    Windows Defender ATP for Flow needs permission to access resources in your organisation that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.”

    Reply
  5. Mornay

    Thanks the flow is easy and works great esp if you have the flow app on your mobile device.

    I expanded the flow to Kaizala as an alternative channel. Hopefully we will be able to extract end user contact details soon (( Get single user) (most frequent / last login, job title, department, first seen, last seen, contact via)) to send an alert to the user or manager with a custom message about the alert.

    Reply
    1. Security Labs (Post author)

      Well done!

      Reply
  6. Thomas

    im hoping i can make a request in regards to this matter, or maybe an idea for a new post, as im fairly new with flow.

    What i was thinking of in similar, is that many times an alert shows in Cloud App where a user is travelling to an unfamiliar location. What if Flow could pick up this alert, send an email with options to the user, requesting input to verify their location. If yes, Alert is closed, if No, account is blocked, and a automated message is sent to SOC Teams site for manual checkup.

    Reply
    1. Security Labs (Post author)

      Yes,
      That’s a very good idea!

      The post was more to show, as inspiration, what we actually can do with the orchestration and the moving decisions to end users might be risky but still saves a lot of investigation time for the SOC

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.