{ "template":{ "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion":"1.0.0.0", "parameters":{ "logicAppName":{ "type":"String", "metadata":{ "description":"Name of the logic app." } }, "logicAppLocation":{ "defaultValue":"[resourceGroup().location]", "allowedValues":[ "eastasia", "southeastasia", "centralus", "eastus", "eastus2", "westus", "northcentralus", "southcentralus", "northeurope", "westeurope", "japanwest", "japaneast", "brazilsouth", "australiaeast", "australiasoutheast", "southindia", "centralindia", "westindia", "canadacentral", "canadaeast", "westcentralus", "westus2", "[resourceGroup().location]" ], "type":"String", "metadata":{ "description":"Location of the logic app." } }, "wdatp_Connection_Name":{ "defaultValue":"wdatp", "type":"String", "metadata":{ "description":"Name of the connection." } }, "office365_Connection_Name":{ "defaultValue":"office365", "type":"String", "metadata":{ "description":"Name of the connection." } }, "approvals_Connection_Name":{ "defaultValue":"approvals", "type":"String", "metadata":{ "description":"Name of the connection." } } }, "resources":[ { "type":"Microsoft.Logic/workflows", "name":"[parameters('logicAppName')]", "apiVersion":"2016-06-01", "location":"[parameters('logicAppLocation')]", "properties":{ "state":"Disabled", "definition":{ "$schema":"https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion":"1.0.0.0", "parameters":{ "$connections":{ "defaultValue":{ }, "type":"Object" }, "$authentication":{ "defaultValue":{ }, "type":"SecureObject" } }, "triggers":{ "Triggers_when_a_Windows_Defender_ATP_alert_occurs":{ "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"WebHooks_CreateWebHook" } }, "type":"ApiConnectionWebhook", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "body":{ "clientState":"flow", "changeType":"created", "resource":"alerts", "expirationDateTime":"2038-09-20T12:00:00Z", "notificationUrl":"@{listCallbackUrl()}" }, "path":"/subscriptions", "authentication":"@parameters('$authentication')" } } }, "actions":{ "Get_single_alert":{ "runAfter":{ }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"GetSingleAlert" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "method":"get", "path":"/api/alerts/@{encodeURIComponent(triggerBody()?['id'])}", "authentication":"@parameters('$authentication')" } }, "Get_single_machine":{ "runAfter":{ "Get_single_alert":[ "Succeeded" ] }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"GetSingleMachine" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "method":"get", "path":"/api/machines/@{encodeURIComponent(body('Get_single_alert')?['machineId'])}", "authentication":"@parameters('$authentication')" } }, "Condition":{ "actions":{ "Isolate_machine":{ "runAfter":{ }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"IsolateMachine" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "method":"post", "body":{ "Comment":"Isolate due to High severity Alert.", "IsolationType":"Full" }, "path":"/api/machines/@{encodeURIComponent(body('Get_single_machine')?['id'])}/isolate", "authentication":"@parameters('$authentication')" } }, "Send_an_email_(V2)":{ "runAfter":{ "Isolate_machine":[ "Succeeded" ] }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"SendEmailV2" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['office365']['connectionId']" } }, "method":"post", "body":{ "To":"replace.me@mail.com;", "Subject":"Automatically Isolated Machine @{body('Get_single_machine')?['computerDnsName']} because of high severity alert.", "Body":"

Automatic isolation was performed.
\n
\nAlert: https://securitycenter.windows.com/alert/@{triggerBody()?['id']}
\nMachine: https://securitycenter.windows.com/_machine/@{body('Get_single_alert')?['machineId']}

", "Importance":"High" }, "path":"/v2/Mail", "authentication":"@parameters('$authentication')" } } }, "runAfter":{ "Get_single_machine":[ "Succeeded" ] }, "else":{ "actions":{ "Condition_2":{ "actions":{ "Start_and_wait_for_an_approval":{ "runAfter":{ }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"approvalSubscribeV2" } }, "type":"ApiConnectionWebhook", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['approvals']['connectionId']" } }, "body":{ "notificationUrl":"@{listCallbackUrl()}", "title":"WDATP medium alert - Approve Machine Isolation", "assignedTo":"replace.me@mail.com;", "details":"Please Approve isolation of machine \n[Machine URL](https://securitycenter.windows.com/_machine/@{body('Get_single_alert')?['machineId']})\n----\nActor: @{body('Get_single_alert')?['actorName']}\n[Link to alert](https://securitycenter.windows.com/alert/@{body('Get_single_alert')?['id']})\nAlert Category: @{body('Get_single_alert')?['category']}\nAlert Classification: @{body('Get_single_alert')?['classification']}\nAlert Description: @{body('Get_single_alert')?['description']}\nThreat Family: @{body('Get_single_alert')?['threatFamilyName']}", "enableNotifications":true }, "path":"/types/@{encodeURIComponent('Basic')}/$subscriptions", "authentication":"@parameters('$authentication')" } }, "Condition_3":{ "actions":{ "Isolate_machine_2":{ "runAfter":{ }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"IsolateMachine" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['wdatp']['connectionId']" } }, "method":"post", "body":{ "Comment":"Isolate due to approved medium alert", "IsolationType":"Full" }, "path":"/api/machines/@{encodeURIComponent(body('Get_single_machine')?['id'])}/isolate", "authentication":"@parameters('$authentication')" } }, "Send_an_email_(V2)_2":{ "runAfter":{ "Isolate_machine_2":[ "Succeeded" ] }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"SendEmailV2" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['office365']['connectionId']" } }, "method":"post", "body":{ "To":"replace.me@mail.com;", "Subject":"Isolation approved - Isolate @{triggerBody()?['machineId']}", "Body":"

Approved by: @{body('Start_and_wait_for_an_approval')?['responder']?['displayName']}
\nAlert: https://securitycenter.windows.com/alert/@{triggerBody()?['id']}
\nMachine: https://securitycenter.windows.com/_machine/@{body('Get_single_alert')?['machineId']}

" }, "path":"/v2/Mail", "authentication":"@parameters('$authentication')" } } }, "runAfter":{ "Start_and_wait_for_an_approval":[ "Succeeded" ] }, "else":{ "actions":{ "Send_an_email_(V2)_3":{ "runAfter":{ }, "metadata":{ "flowSystemMetadata":{ "swaggerOperationId":"SendEmailV2" } }, "type":"ApiConnection", "inputs":{ "host":{ "connection":{ "name":"@parameters('$connections')['office365']['connectionId']" } }, "method":"post", "body":{ "To":"replace.me@mail.com;", "Subject":"Isolation rejected - Isolate @{triggerBody()?['machineId']}", "Body":"

Rejected by: @{body('Start_and_wait_for_an_approval')?['responder']?['displayName']}
\nAlert: https://securitycenter.windows.com/alert/@{triggerBody()?['id']}
\nMachine: https://securitycenter.windows.com/_machine/@{body('Get_single_alert')?['machineId']}

" }, "path":"/v2/Mail", "authentication":"@parameters('$authentication')" } } } }, "expression":{ "equals":[ "@body('Start_and_wait_for_an_approval')?['response']", "Approve" ] }, "type":"If" } }, "runAfter":{ }, "expression":{ "equals":[ "@body('Get_single_alert')?['severity']", "Medium" ] }, "type":"If" } } }, "expression":{ "equals":[ "@body('Get_single_alert')?['severity']", "High" ] }, "type":"If" } } }, "parameters":{ "$connections":{ "value":{ "wdatp":{ "id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'wdatp')]", "connectionId":"[resourceId('Microsoft.Web/connections', parameters('wdatp_Connection_Name'))]", "connectionName":"[parameters('wdatp_Connection_Name')]" }, "office365":{ "id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'office365')]", "connectionId":"[resourceId('Microsoft.Web/connections', parameters('office365_Connection_Name'))]", "connectionName":"[parameters('office365_Connection_Name')]" }, "approvals":{ "id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'approvals')]", "connectionId":"[resourceId('Microsoft.Web/connections', parameters('approvals_Connection_Name'))]", "connectionName":"[parameters('approvals_Connection_Name')]" } } } }, "runtimeConfiguration":{ "lifetime":{ "unit":"Day", "count":30 }, "collections":{ "maximumItemCount":100000 }, "performanceProfile":{ "throttles":{ "mode":"Medium" } } } }, "dependsOn":[ "[resourceId('Microsoft.Web/connections', parameters('wdatp_Connection_Name'))]", "[resourceId('Microsoft.Web/connections', parameters('office365_Connection_Name'))]", "[resourceId('Microsoft.Web/connections', parameters('approvals_Connection_Name'))]" ] }, { "type":"Microsoft.Web/connections", "name":"[parameters('wdatp_Connection_Name')]", "apiVersion":"2016-06-01", "location":"[parameters('logicAppLocation')]", "properties":{ "api":{ "id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'wdatp')]" }, "displayName":"[parameters('wdatp_Connection_Name')]" } }, { "type":"Microsoft.Web/connections", "name":"[parameters('office365_Connection_Name')]", "apiVersion":"2016-06-01", "location":"[parameters('logicAppLocation')]", "properties":{ "api":{ "id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'office365')]" }, "displayName":"[parameters('office365_Connection_Name')]" } }, { "type":"Microsoft.Web/connections", "name":"[parameters('approvals_Connection_Name')]", "apiVersion":"2016-06-01", "location":"[parameters('logicAppLocation')]", "properties":{ "api":{ "id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'approvals')]" }, "displayName":"[parameters('approvals_Connection_Name')]" } } ] } }