Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This Playbook Provides the automation to Push Defender for Endpoint Alerts including Alert Names, MITRE Tactics, Techniques and Sub-Techniques as Hunting ARM Templates into a Sentinel Github Repository
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Standalone Content |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
SecurityAlert |
ProductName == "Microsoft Defender Advanced Threat Protection"Tactics != "Unknown" |
✓ | ✗ | ✓ |
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuremonitorlogs |
Managed | 1 | 1 |
http |
Built-in | 0 | 3 |
azuremonitorlogs (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Grab_MDE_Alerts_with_Mitre_Techniques | post | /queryData |
— |
http (Built-in)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Post_Hunting_JSON_Arm_Template_to_Github | PUT | https://api.github.com/repos/@{parameters('GitHubRepoOwnerName')}/@{parameters('GitHubRepoName')}/contents/Hunting/MDE_@{replace(replace(item()?['AlertName'], ' ', '_'), '/', '_')}_@{replace(replace(item()?['MitreTechnique'], ';', '_'), '.', '_')}.json |
— |
| Get_Github_Key_from_Keyvault | GET | @parameters('KeyVaultGitHubCredentialsURL') |
— |
| Get_Github_Repo_Contents | GET | https://api.github.com/repos/@{parameters('GitHubRepoOwnerName')}/@{parameters('GitHubRepoName')}/contents/Hunting |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊