AS-Add-Machine-Logon-Users-to-Incident
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Content Index
This playbook is intended to be run from a Microsoft Sentinel incident. It will match the hosts from a Microsoft Sentinel incident with Microsoft Defender machines and add the logon users for each machine as a comment on the Microsoft Sentinel incident.
| Attribute |
Value |
| Type |
Playbook |
| Solution |
Standalone Content |
| Source |
View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
Action parameters (URLs, paths, function IDs)
| Action |
Method |
Endpoint |
Other |
| Add_comment_to_incident_(V3) |
post |
/Incidents/Comment |
— |
| Entities_-_Get_Hosts |
post |
/entities/host |
— |
| Action |
Method |
Endpoint |
Other |
| Get_Client_Secret |
get |
[concat('/secrets/@{encodeURIComponent(''', parameters('KeyVaultSecretName'), ''')}/value')] |
— |
http (Built-in)
| Action |
Method |
Endpoint |
Other |
| HTTP_-_Get_machine_logon_users |
GET |
https://api.securitycenter.microsoft.com/api/machines/@{items('For_each_-_Host')?['additionalData']?['MdatpDeviceId']}/logonusers |
— |
| HTTP_-_Authenticate |
POST |
[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')] |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks