Setup smart alerting for your Endpoint Security with Power Automate

Part 3 of my blog series about setting up and expanding your Endpoint Security.

This time it’s going to be expanded trough the wonderful possibilities Power Automate has to offer to us.

What we’re going to do is turn our alert notifications up a notch by connecting Defender ATP with Power Automate to create a flow and trigger some actions ( you’re still following me right? 🙂 )

Let’s just break it down into pieces by doing what I always do, create the videos that show you how to do it and the background info behind it.

Before we do that, let’s just discuss one thing so you have that in place before we start.

Licensing

Defender ATP requires one of the following licenses:

  • Windows 10 Enterprise E5
  • Windows 10 Education A5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 (M365 A5)

Power Automate will require a premium subscription to use the MDATP connector.
You will find more information about this via the following link:

https://docs.microsoft.com/en-us/power-platform/admin/powerapps-flow-licensing-faq

That’s all we need if we’re talking prerequisites.

Creating a Power Automate flow

What we are going to do is create a flow that gets triggered when a new alert occurs in Microsoft Defender ATP.
The flow will get the alert ID from the alert that was raised and acquires all the information from MDATP.
With this set of information we will create a new alert which we’re going to post as a new message in a Microsoft Teams channel and send as an e-mail via the Outlook connector.
The main advantage of Power Automate is that you can create IF-ELSE structures and use connectors like the ones for Teams and Outlook to use the information from one connector (MDATP) as input for the triggered actions.

The End Result

As you can see here, when I download the “fake” malware from Eicar.org MDATP will create a new alert which triggers the flow we created earlier. A new message get’s posted on the Teams channel SoC and an e-mail message gets send to my mailbox.

How cool is it to combine these two great products and get a powerful alerting system?
What I didn’t show in the video is that you can even use your own ticketing system if there is a connector for it, or create one, to create a new ticket.

If you have any questions please post a comment, I’m here to help!

Have a great day and don’t forget to connect with me via the following platforms:

Dit vind je misschien ook leuk...

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

%d bloggers liken dit: