It is time for part 9 of the Microsoft Defender for Endpoint (MDE) series. Part 9 is focused on the automation part of Defender for Endpoint with the use of Logic Apps/ Microsoft Sentinel automation. In the previous part, a couple of automated actions were discussed as part of the custom detections. With the use of Logic Apps or Power Automate, there is way more possible in terms of automation.

NOTE: The blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.

Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.

Introduction

Defender for Endpoint supports automation via different systems. Part of Defender for Endpoint is automation via detection rules as a response to Advanced Hunting results (Custom detections), all the actions are limited and scoped. There is way more possible with the use of Logic Apps and supported Defender APIs.

Why automation?

When using SIEM solutions (Microsoft Sentinel/ Splunk) automation is common for security automation. Common examples;

  • Isolate/ unisolated device entity
  • Enable/disable MDE App Execution
  • Collect Investigation package
  • Run custom PowerShell script for more in-depth forensics/ collections (Memory dump)

Part 8 of the series explains the Advanced hunting/ custom detection feature; with the use of custom detection automation is possible. Blog link

What is possible?

When using Splunk/ Microsoft Sentinel or other SIEM systems there are more ways to trigger automated actions based on incidents/alerts. Of course; there are multiple API options or possibilities using the Defender Connector. When we check Sentinel there is the option for running automated Logic App actions part of the indecent/ alert trigger based on collected evidence.

Without Sentinel/ SIEM there is still space for automating Defender-related stuff with the available options via API or Logic Apps.

Logic Apps/ Power Automate

Currently, there are a couple of automation solutions within the Azure/Microsoft 365 stack. Logic Apps and Power Automate are the most popular ones. Based on my opinion:

  • Power Automate: used for personal process automation (Teams, Office from the user itself)
  • Logic App: Automate IT/ Operational tasks from an IT/ Dev/ Security point of view

Logic Apps is supported with additional features needed for securing the flow (Managed identity/ instead of Service Principal). Logic Apps supports additional logging by enabling the Diagnostics Settings. Another benefit of Logic Apps is the full RBAC capabilities which are included in Azure.

Based on my opinion; go for Logic Apps when using automation in combination with Defender for Endpoint.

Important: Automation is a large topic and can be used for multiple use cases; this blog post is focused on two examples using Logic App/ and automation with Microsoft Sentinel based on common use cases. The following examples are part of the blog to explain the basics of setting up the logic app:

– Tag devices automatically using Logic Apps
– MDE actions using playbooks in Microsoft Sentinel

Example 1: Tag devices automatically

Device tags are useful for grouping, and additional reporting. Device tags from the registry are limited to one single tag for each system. Using API or portal there is the option for adding more tags. This automation example explains the method for running a query against the Advanced Hunting dataset and tagging all devices in the result with a custom tag. Useful for systems that are identified as domain controllers or located in specific network environments/ locations.

How works the Logic App flow for tagging devices

  1. Recurrence trigger
  2. Run hunting query against Microsoft 365 Defender Advanced Hunting
  3. For each DeviceId add a specific device tag.

Note: Authentication is based on the use of a managed identity. Other authentications are not recommended when the managed identity is supported.

Advanced Hunting query

For detecting domain controllers, the below query gives a pretty accurate result. Always test the query in environments and validate the results against the known domain controllers. Using DeviceNetworkEvents where the local port is 88. For removing non-relevant machines LocalIPType “FourToSixMapping” gives in my tested environments a good result without any non-domain controller.

//Show Domain Controllers using localport 88 - type FourToSixMapping
DeviceNetworkEvents
| where LocalPort == "88"
| where LocalIPType contains "FourToSixMapping"
| distinct DeviceId
| join 
    (DeviceInfo
    | summarize arg_max(Timestamp,*) by DeviceId
    )
on DeviceId
| project DeviceId, DeviceName, OnboardingStatus

The result is the DeviceId, DeviceName. DeviceId is needed as part of the Logic App flow for tagging devices.

Create Logic App

Let’s automate the findings and tag devices automatically with the use of the Defender Advanced Hunting API. For this blog, we’ll use Azure Logic App and the built-in Defender connector. 

It is now time to create and configure the actual logic app. The below example is using the built-in Defender ATP Actions.

First, we need to create a Logic App. In the Azure portal, just search for “Logic Apps” and create a new app using the button “Add”

Select the correct subscription and resource group (location of the Logic App resources). Define the name and specify the region under instance details. Type is important; for MDE it is quite common to use the consumption model – it depends based on the needs and requirements. For consumption, the pricing is pay-per-execution whereas for the standard it is based on a hosting plan with a selected pricing tier.

For permissions/authentication, it is recommended to use a managed identity. Currently, not all actions part of Logic Apps are supported for managed identity authentication. When possible; use always the option managed identity.

After creating the Logic App click on Identity and switch the status toggle to On. As part of the process – the identity for the Logic App is created.

It is currently not possible to grant permission to Managed Identities via the Azure UI and therefore it is only possible to grant permissions with the use of PowerShell. There are a couple of resources available with pre-created scripts for assigning permissions.

Design the flow

With the use of the Logic Apps Designer, it is possible to design the Logic App. Start the designer from the Blank Logic App template.

Trigger

The first start point of the Logic app is one of the available triggers. For the device tag example, the simple recurrence is fine. With this trigger, the Logic Apps runs each day/week or at another designed frequency.

For example, set the flow for a run every Friday, ensuring new domain controllers are tagged weekly. Each specific timing setting can be used for applying device tags. Use a frequency that suits your needs.

Get results

Next up, we will use the first action. Part of the Logic App library is the Defender for Endpoint connector. Search for “Defender” and open “Microsoft Defender.

Search in the Defender for Endpoint app for “Advanced Hunting” and select the Advanced Hunting app for defining the query.


Authentication is important. It is possible to use a service principal/ user account with permissions or managed identity authentication. Following the best security practice use the managed identity option.

Important: Managed identity must be enabled before, as explained earlier in the blog.

Use the following query in the query field.

DeviceNetworkEvents
| where LocalPort == "88"
| where LocalIPType contains "FourToSixMapping"
| distinct DeviceId

Use the control For Each – for running the action for each unique result (DeviceId) as part of the Advanced Hunting. The output used is based on the results. Create Add an action for the next step.

Tag machine action

For tagging devices, there is a built-in action part of the MDE group. Search for the Machine tag action. The name of the action: Machine – tag machine

Fill in the following dynamic attributes:

  • ID of the machine: Dynamic content DeviceId
  • Value: Specify your preferred tag | example: Domain Controllers
  • Action: Select Add

Result

The deviceId part of the Advanced Hunting results is used for the Advanced Hunting tag machine action. For each unique result and machine ID the tag “Domain controllers” is configured. The output shows the device information and configured tag:

The purpose of this “Logic App example” was to give you some insights into what you can accomplish with the Microsoft Defender API and Logic apps for identifying domain controller servers and tagging them automatically with the tag “Domain Controllers”. It shows a really basic example of Azure Logic App based on Advanced Hunting results.

Standalone Logic Apps can be used more for more complex situations (some in-depth examples will be explained in separate blogs)


Example 2: Sentinel automation

Automation is possible via standalone Logic Apps or using Microsoft Sentinel as a trigger. With the use of Microsoft Sentinel, it is possible to trigger Logic Apps based on incident/ alert/ evidence data. Azure Logic Apps are the foundation for the complete automation in Sentinel.

Using Sentinel there are multiple ways for enabling/use automation. For each incident, there is the option for running separate Logic Apps by manually starting the Logic App. With the use of automation rules in Sentinel it is possible to streamline the automation. Automation rules are triggered by the creation of incidents. With the use of filters/ conditions, it is possible to run selected analytics rules.

Prepare Sentinel permissions

Microsoft Sentinel requires permissions for automation rules. Go to Microsoft Sentinel -> Settings and open the item Playbook permissions.

Select the resource group (location of the playbook) and select apply. It is recommended to use a separate resource group for all Logic App resources/ playbooks.

Template resources

The community and Microsoft created a couple of Logic App examples. All templates are available in the automation view of Sentinel. Go to automation -> playbook templates and search for MDE.

Sentinel GitHub repository is another good result for pre-build use cases and inspiration for new logic apps.

Common used Logic App examples in combination with MDE;

  • Run MDE antivirus scan
  • Isolate endpoint
  • Unisolate MDE machine
  • Restrict MDE App Execution

For creating a new playbook from the template; select the Playbook template and click “create playbook“. Select the correct subscription/ resource group and playbook name and connections. It is recommended to use connections based on managed identities and avoid the usage of personal account authentication.

Isolate MDE device

A good example is automated device isolation. The template in the playbook templates library is based on the Microsoft Sentinel incident trigger. For performing isolation the following steps are needed:

  1. Microsoft Sentinel incident trigger
  2. Entities – get hosts data (machine object data)
  3. For each machine host with MDE device ID
    • When true: Isolate the device and add a comment in Sentinel
    • When false: Add comment to incident

Important: The Logic App is created without permission. When using managed identities; make sure the correct permissions are applied. Machine.Isolate for isolating devices.

Trigger

The automation/ Logic App is created and visible in the Automation Active playbooks section. Now it is time for defining the triggers/ automation rules. There are a couple of situations:

  • Manual playbook trigger
  • Automated triggers based on automation flows

Manual trigger

From the Sentinel incident view, it is possible to run automation as a manual response. Open the incident -> incident actions -> and run the playbook.

Select the configured playbook. Only enabled playbooks configured with the Microsoft Sentinel incident trigger can be triggered. Disabled playbooks or playbooks configured with other triggers are not available in the Sentinel response view.

Automation trigger

With the use of Automation rules more automation is possible based on severity/ title and more objects part of the incident.

Configuration of Automation rules is possible via Automation -> Automation rules -> Create Automation rule.

Using automation rules it is possible to define all parameters and needed conditions. Example:

  1. When an incident is created
  2. With the severity High and the title contains Ransomware
  3. Change Sentinel incident status to Active
  4. Run playbook “Isolate-MDEMachine”

Logging

Logging/ troubleshooting information is directly available in the Logic App. In the overview section of the Logic App view the historic run states. Open the error state for all detailed information for each step.

In Defender for Endpoint, device actions are visible in the history view of the action center. Public API is triggered by the Logic App API connection.


Part 9 of the Microsoft Defender for Endpoint series is completed – focused on the explanation of the automation features using Logic App and Sentinel.

Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.

View previous part – Microsoft Defender for Endpoint series – Advanced hunting and custom detections – Part8

View next part –Tips and tricks/ common mistakes – Part10