Skip to main content
sekureco42
  1. Posts/

Microsoft Defender for Endpoint API with Logic App

·412 words·2 mins· loading · loading · ·
English MDE API Azure Logic App Expert
rOger Eisenecher
Author ::..
rOger Eisenecher
> 12 years leading and building a SOC for MSSP • > 20 years working in security • > 40 years working with IT • 100% tech nerd.
Table of Contents

In another post I already wrote about managed identities and using API. There I also showed how to adapt the required permissions. In this post you will see how to set up required permissions for Microsoft Defender for Endpoint (internally called WindowsDefenderATP).

Introduction

In the post about Graph API with Logic App I already showed how to use Managed Identity and assign required permissions to it.

Unfortunatly if you want to use Microsoft Defender for Endpoint API it is not as easy as described in the mentioned post. The biggest challenge is to find out which permissions you could assign to your managed identity.

Implementation

What you need to know is the magic Id of the application to get the permissions out of it (meaning that you can use the PowerShell script you find in the mentioned post above).

The magic Id for WindowsDefenderATP (the internal name of Microsoft Defender for Endpoint) is: fc780465-2017-40d4-a0c5-307022471b92.

For our example we want to assign the following permissions to the managed identity:

  • Alert.ReadWrite.All
  • Machine.ReadWrite.All
  • Machine.Isolate

Here is the corresponding PowerShell script:

$managedIdentityId = '8396e306-d3d0-4b6f-8b47-f73dfbeecadf'
$myPermissions = "Alert.ReadWrite.All", "Machine.ReadWrite.All", "Machine.Isolate"

Connect-MgGraph -Scopes 'Application.ReadWrite.All,AppRoleAssignment.ReadWrite.All'

$msi = Get-MgServicePrincipal -Filter "Id eq '$managedIdentityId'"

$mde = Get-MgServicePrincipal -Filter "AppId eq 'fc780465-2017-40d4-a0c5-307022471b92'"

foreach ($myPerm in $myPermissions) {
  $permission = $mde.AppRoles `
      | where Value -Like $myPerm `
      | Select-Object -First 1

  if ($permission) {
    New-MgServicePrincipalAppRoleAssignment `
        -ServicePrincipalId $msi.Id `
        -AppRoleId $permission.Id `
        -PrincipalId $msi.Id `
        -ResourceId $mde.Id
  }
}

Disconnect-MgGraph

To verify what you have done you could use following command:

Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $msi.Id | fl

Logic App Workflow

Now here an example Logic App workflow which will use the managed identity to operate on the Defender for Endpoint API:

logic-app-part1.png
Logic App Workflow based on Microsoft Defender for Endpoint - Part 1: Trigger and first decision: Do something if alert has severity High.

logic-app-part2.png
Logic App Workflow based on Microsoft Defender for Endpoint - Part 2: Fetching additional information and if os name is Windows10 or Windows11 isolate system.

logic-app-part3.png
Logic App Workflow based on Microsoft Defender for Endpoint - Part 3: The end (just for completeness).

Final result

Of course this workflow does not make sense. It just shows how to connect to the Graph API to fetch data from a Logic App. This are the key take aways:

  • Create Logic App
  • Create Managed Identity (System Assigned)
  • Grant API permission to Managed Identity with PowerShell
  • Use WDATP block to access Microsoft Defender for Endpoint API

Further Reading

Here are some links: