AS-Block-Hash-in-Defender

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook is intended to be run from a Microsoft Sentinel Incident. It will take the File Hashes from the Incident entities list and block them in Defender. A comment noting the affected File Hashes will be added to the Incident.

Attribute	Value
Type	Playbook
Solution	Standalone Content
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2
`keyvault`	Managed	1	1
`http`	Built-in	0	2

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Entities_-_Get_FileHashes	post	`/entities/filehash`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Client_Secret	get	`[concat('/secrets/@{encodeURIComponent(''', parameters('KeyVaultSecretName'), ''')}/value')]`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_-_Add_Defender_IOC	POST	`https://api.securitycenter.microsoft.com/api/indicators`	—
HTTP_-_Authenticate	POST	`[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]`	—

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks

AS-Block-Hash-in-Defender

Logic App Connectors

azuresentinel (Managed)

keyvault (Managed)

http (Built-in)

`azuresentinel` (Managed)

`keyvault` (Managed)

`http` (Built-in)