mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 15:27:22 +00:00
Edit pass for security articles DO NOT MERGE
Copy editing and requested edits for api-microsoft-flow and planning-to-deploy-windows-firewall-with-advanced-security.
This commit is contained in:
jdmartinez36
parent
ae43b7d79e
commit
be95597575
@ -21,61 +21,61 @@ ms.topic: article
|
||||
|
||||
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within few minutes.
|
||||
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
|
||||
|
||||
Microsoft Defender API has an official Flow Connector with a lot of capabilities:
|
||||
Microsoft Defender API has an official Flow Connector with many capabilities.
|
||||
|
||||
|
||||
|
||||
## Usage example
|
||||
|
||||
The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs on your tenant.
|
||||
The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
|
||||
|
||||
- Login to [Microsoft Flow](https://flow.microsoft.com)
|
||||
1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
|
||||
|
||||
- Go to: My flows > New > Automated
|
||||
2. Go to **My flows** > **New** > **Automated-from blank**.
|
||||
|
||||
|
||||
|
||||
|
||||
- Choose a name for your Flow, Search for **Microsoft Defender ATP Triggers** as the trigger and choose the new Alerts trigger.
|
||||
3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
|
||||
|
||||
|
||||
|
||||
|
||||
- Now you have a Flow that is triggered every time a new Alert occurs.
|
||||
Now you have a Flow that is triggered every time a new Alert occurs.
|
||||
|
||||
|
||||
|
||||
All you need to do now, is to choose your next steps.
|
||||
Lets, for example, Isolate the machine if the Severity of the Alert is **High** and mail about it.
|
||||
The Alert trigger gives us only the Alert ID and the Machine ID. We can use the Connector to expand these entities.
|
||||
All you need to do now is choose your next steps.
|
||||
For example, you can isolate the machine if the Severity of the Alert is High and send an email about it.
|
||||
The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
|
||||
|
||||
### Get the Alert entity using the connector
|
||||
### Get the Alert entity using the connector
|
||||
|
||||
- Choose Microsoft Defender ATP for new step.
|
||||
1. Choose **Microsoft Defender ATP** for the new step.
|
||||
|
||||
- Choose Alerts - Get single alert API.
|
||||
2. Choose **Alerts - Get single alert API**.
|
||||
|
||||
- Set the Alert Id from the last step as Input.
|
||||
3. Set the **Alert ID** from the last step as **Input**.
|
||||
|
||||
|
||||
|
||||
|
||||
### Isolate the machine if the Alert's severity is High
|
||||
|
||||
- Add **Condition** as a new step .
|
||||
1. Add **Condition** as a new step.
|
||||
|
||||
- Check if Alert severity equals to **High**.
|
||||
2. Check if the Alert severity **is equal to** High.
|
||||
|
||||
- If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
|
||||
If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
|
||||
|
||||
|
||||
|
||||
|
||||
Now you can add a new step for mailing about the Alert and the Isolation.
|
||||
There are multiple Email connectors that are very easy to use, e.g. Outlook, GMail, etc..
|
||||
Save your flow and that's all.
|
||||
3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
|
||||
|
||||
- You can also create **scheduled** flow that will run Advanced Hunting queries and much more!
|
||||
4. Save your flow.
|
||||
|
||||
You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
|
||||
|
||||
## Related topic
|
||||
- [Microsoft Defender ATP APIs](apis-intro.md)
|
||||
|
||||
@ -27,30 +27,42 @@ After you collect information about your environment and decide on a design by f
|
||||
|
||||
## Reviewing your Windows Defender Firewall with Advanced Security Design
|
||||
|
||||
If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
|
||||
If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment.
|
||||
|
||||
- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
|
||||
### Decide which devices apply to which GPO
|
||||
|
||||
- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
|
||||
The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
|
||||
|
||||
- [Planning the GPOs](planning-the-gpos.md)
|
||||
- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
|
||||
|
||||
- [Planning GPO Deployment](planning-gpo-deployment.md)
|
||||
- [Planning the GPOs](planning-the-gpos.md)
|
||||
|
||||
- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
|
||||
- [Planning GPO Deployment](planning-gpo-deployment.md)
|
||||
|
||||
- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
|
||||
### Configure communication between members and devices
|
||||
|
||||
- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated.
|
||||
Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
|
||||
|
||||
- The requirement that all devices that must communicate with each other share a common set of:
|
||||
### Exempt domain controllers from IPsec authentication requirements
|
||||
|
||||
- Authentication methods
|
||||
It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
|
||||
|
||||
- Main mode key exchange algorithms
|
||||
### Configure IPsec authentication rules
|
||||
|
||||
- Quick mode data integrity algorithms
|
||||
The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated.
|
||||
|
||||
If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
|
||||
### Make sure all devices can communicate with each other
|
||||
|
||||
For all devices to communicate with each other, they must share a common set of:
|
||||
|
||||
- Authentication methods
|
||||
|
||||
- Main mode key exchange algorithms
|
||||
|
||||
- Quick mode data integrity algorithms
|
||||
|
||||
If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
|
||||
|
||||
## Deploy your Windows Firewall Design Plan
|
||||
|
||||
After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user