Setup smart alerting for your Microsoft Defender for Endpoint with Power Automate

Part 3 of my blog series about setting up and expanding your Microsoft Defender for Endpoint.

This time it’s going to be expanded trough the wonderful possibilities Power Automate has to offer to us.

What we’re going to do is turn our alert notifications up a notch by connecting Defender for Endpoint with Power Automate to create a flow and trigger some actions ( you’re still following me right? 🙂 )

Let’s just break it down into pieces by doing what I always do, create the videos that show you how to do it and the background info behind it.

Before we do that, let’s just discuss one thing so you have that in place before we start.

Licensing

Microsoft Defender for Endpoint requires one of the following licenses:

  • Windows 10 Enterprise E5
  • Windows 10 Education A5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 (M365 A5)

Power Automate will require a premium subscription to use the MDfE connector.
You will find more information about this via the following link:

https://docs.microsoft.com/en-us/power-platform/admin/powerapps-flow-licensing-faq

That’s all we need if we’re talking prerequisites.

Creating a Power Automate flow

What we are going to do is create a flow that gets triggered when a new alert occurs in Microsoft Defender for Endpoint.
The flow will get the alert ID from the alert that was raised and acquires all the information from MDfE.
With this set of information we will create a new alert which we’re going to post as a new message in a Microsoft Teams channel and send as an e-mail via the Outlook connector.
The main advantage of Power Automate is that you can create IF-ELSE structures and use connectors like the ones for Teams and Outlook to use the information from one connector (MDfE) as input for the triggered actions.

The End Result

As you can see here, when I download the “fake” malware from Eicar.org MDfE will create a new alert which triggers the flow we created earlier. A new message get’s posted on the Teams channel SoC and an e-mail message gets send to my mailbox.

How cool is it to combine these two great products and get a powerful alerting system?
What I didn’t show in the video is that you can even use your own ticketing system if there is a connector for it, or create one, to create a new ticket.

If you have any questions please post a comment, I’m here to help!

Have a great day and don’t forget to connect with me via the following platforms:

Dit vind je misschien ook leuk...

4 reacties

  1. Andy schreef:

    I have just set this up and work great. I have not used |Flow before. One question how can you set this so it only alerts on High severity alerts?

    • Patrick van Bemmelen schreef:

      Hi Andy,

      Glad to hear that you’ve got it working in your setup!
      Yes you can definitely filter out alerts, you do this by creating a Condition in your Flow/Automate.
      To do this, you need to click on the plus sign below Alerts – get single alert and select Condition.
      When you then click on the text box which says Choose a value you will be presented with the option to Select the Alert Alert Severity.
      By adjusting the filter to is equal to you can enter High.
      Please let me know if this worked for you, I’ve also added a screenshot of how it should look.
      Power Automate condition MDE

  2. Simon schreef:

    Hi,

    Great post! How are you handling the user context of the power automate? Does the automation run under your username, or using a seperate service account for AAD automation?

    Best regards,
    Simon

    • Patrick van Bemmelen schreef:

      Hi Simon,

      Best practice would be to use a dedicated account for the Automate flow but in my case I used my own account.
      However, requirements in both cases are a Power Automate Premium plan and a Microsoft Defender license so that’s something you need to keep in mind.

Geef een reactie

%d bloggers liken dit: