diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png new file mode 100644 index 0000000000..69836b943c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png new file mode 100644 index 0000000000..741770b06a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png new file mode 100644 index 0000000000..fb441257c0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png new file mode 100644 index 0000000000..e57b9d3fe4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png new file mode 100644 index 0000000000..3d274ebf9f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png new file mode 100644 index 0000000000..01ad9116f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png new file mode 100644 index 0000000000..647008af7d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png new file mode 100644 index 0000000000..71e3aa0e9f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png index 7890439b39..826cd1b106 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png and b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png new file mode 100644 index 0000000000..3a2b7563bf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png new file mode 100644 index 0000000000..f4f0bca971 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md index 3130f39024..03f2f15f94 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md @@ -35,4 +35,145 @@ You'll need to have access to: 2. Navigate to **My flows > New > Scheduled - from blank**. -3. + ![Image of flow](images/new-flow.png) + + +3. Create the flow: + + ![Image of the notification flow](images/flow2.png) + +4. Set the recurrence: + + ![Image of flow recurrence](images/flow-recurrence.png) + + +5. The example below uses an HTTP call to Microsoft Defender Security Center API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines – Get list of machines"). + + ![Image of HTTP](images/http-flow.png) + +6. Set the JSON file with the following value: + + +``` +{ + "type": "object", + "properties": { + "@@odata.context": { + "type": "string" + }, + "value": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "computerDnsName": { + "type": "string" + }, + "firstSeen": { + "type": "string" + }, + "lastSeen": { + "type": "string" + }, + "osPlatform": { + "type": "string" + }, + "osVersion": {}, + "lastIpAddress": { + "type": "string" + }, + "lastExternalIpAddress": { + "type": "string" + }, + "agentVersion": { + "type": "string" + }, + "osBuild": { + "type": "integer" + }, + "healthStatus": { + "type": "string" + }, + "riskScore": { + "type": "string" + }, + "exposureScore": { + "type": "string" + }, + "aadDeviceId": {}, + "machineTags": { + "type": "array" + } + }, + "required": [ + "id", + "computerDnsName", + "firstSeen", + "lastSeen", + "osPlatform", + "osVersion", + "lastIpAddress", + "lastExternalIpAddress", + "agentVersion", + "osBuild", + "healthStatus", + "rbacGroupId", + "rbacGroupName", + "riskScore", + "exposureScore", + "aadDeviceId", + "machineTags" + ] + } + } + } +} +``` + + + ![Image of JSON](images/parse-json-flow.png) + +7. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the SharePoint list as an example: +- If yes, no notification will be triggered +- If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin + + ![Image of apply to each](images/flow-apply.png) + + + + ![Image of apply to each with get items](imags/apply-to-each.png) + + ![Image of condition](imags/condition1.png) + + ![Image of condition](imags/condition2.png) + + ![Image of send email](imags/send-email.png) + + + +## Alert notification +The following image is an example of an email notification. + +![Image of email notification](images/alert-notification.png) + + +## Tips + +- You can filter here using lastSeen only: + - Every 60 min: + - Take all machines last seen in the past 7 days. + +- For each machine: + - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility + - If first seen is on the past hour -> Alert for onboarding. + +In this solution you will not have duplicate alerts too: +There are tenants that have numerous machines. Getting all those machines might be very expensive and might require paging. + +You can split it to two queries: +1) For offboarding take only this interval using the OData $filter and only notify if the conditions are met. +2) Take all machines last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too. ) +