{ "template":{ "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion":"1.0.0.0", "parameters":{ "logicAppName":{ "type":"String", "metadata":{ "description":"Name of the logic app." } }, "logicAppLocation":{ "defaultValue":"[resourceGroup().location]", "allowedValues":[ "eastasia", "southeastasia", "centralus", "eastus", "eastus2", "westus", "northcentralus", "southcentralus", "northeurope", "westeurope", "japanwest", "japaneast", "brazilsouth", "australiaeast", "australiasoutheast", "southindia", "centralindia", "westindia", "canadacentral", "canadaeast", "westcentralus", "westus2", "[resourceGroup().location]" ], "type":"String", "metadata":{ "description":"Location of the logic app." } }, "wdatp_Connection_Name":{ "defaultValue":"wdatp", "type":"String", "metadata":{ "description":"Name of the connection." } }, "office365_Connection_Name":{ "defaultValue":"office365", "type":"String", "metadata":{ "description":"Name of the connection." } }, "approvals_Connection_Name":{ "defaultValue":"approvals", "type":"String", "metadata":{ "description":"Name of the connection." } } }, "resources":[ { "type":"Microsoft.Logic/workflows", "name":"[parameters('logicAppName')]", "apiVersion":"2016-06-01", "location":"[parameters('logicAppLocation')]", "properties":{ "state":"Disabled", "definition":{ "$schema":"https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion":"1.0.0.0", "parameters":{ "$connections":{ "defaultValue":{ }, "type":"Object" }, "$authentication":{ "defaultValue":{ }, "type":"SecureObject" } }, "triggers":{ "Triggers_when_a_Windows_Defender_ATP_alert_occurs":{ "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"WebHooks_CreateWebHook" } }, "type":"ApiConnectionWebhook", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "body":{ "clientState":"flow", "changeType":"created", "resource":"alerts", "expirationDateTime":"2038-09-20T12:00:00Z", "notificationUrl":"@{listCallbackUrl()}" }, "path":"/subscriptions", "authentication":"@parameters('$authentication')" } } }, "actions":{ "Get_single_alert":{ "runAfter":{ }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"GetSingleAlert" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "method":"get", "path":"/api/alerts/@{encodeURIComponent(triggerBody()?['id'])}", "authentication":"@parameters('$authentication')" } }, "Get_single_machine":{ "runAfter":{ "Get_single_alert":[ "Succeeded" ] }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"GetSingleMachine" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "method":"get", "path":"/api/machines/@{encodeURIComponent(body('Get_single_alert')?['machineId'])}", "authentication":"@parameters('$authentication')" } }, "Condition":{ "actions":{ "Isolate_machine":{ "runAfter":{ }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"IsolateMachine" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "method":"post", "body":{ "Comment":"Isolate due to High severity Alert.", "IsolationType":"Full" }, "path":"/api/machines/@{encodeURIComponent(body('Get_single_machine')?['id'])}/isolate", "authentication":"@parameters('$authentication')" } }, "Send_an_email_(V2)":{ "runAfter":{ "Isolate_machine":[ "Succeeded" ] }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"SendEmailV2" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['office365']['connectionId']" } }, "method":"post", "body":{ "To":"replace.me@mail.com;", "Subject":"Automatically Isolated Machine @{body('Get_single_machine')?['computerDnsName']} because of high severity alert.", "Body":"
Automatic isolation was performed.
\n
\nAlert: https://securitycenter.windows.com/alert/@{triggerBody()?['id']}
\nMachine: https://securitycenter.windows.com/_machine/@{body('Get_single_alert')?['machineId']}
Approved by: @{body('Start_and_wait_for_an_approval')?['responder']?['displayName']}
\nAlert: https://securitycenter.windows.com/alert/@{triggerBody()?['id']}
\nMachine: https://securitycenter.windows.com/_machine/@{body('Get_single_alert')?['machineId']}
Rejected by: @{body('Start_and_wait_for_an_approval')?['responder']?['displayName']}
\nAlert: https://securitycenter.windows.com/alert/@{triggerBody()?['id']}
\nMachine: https://securitycenter.windows.com/_machine/@{body('Get_single_alert')?['machineId']}