Microsoft 365 Defender Integration

Step 1: Create Webhook for Microsoft 365 Defender
  • Visit the Webhooks page in Binalyze AIR,
  • Click the "+ New Webhook" button on the upper right corner,
  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
  • Select " Microsoft 365 Defender Webhook Parser" as the parser for this webhook,
  • Select an Acquisition Profile when Microsoft 365 activates this webhook,
  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
  • Click the "Save" button.
  • Copy the Webhook URL for Step 2.
Step 2: Setting up Power Automate
  • Log in to Power Automate.
  • Go to My Flows on the left-hand pane.
  • Click New Flow and Automated Cloud Flow
  • Give an explanatory Flow Name, select Microsoft Defender ATP as the flow’s trigger and create it.
  • Set up your alert conditions according to Microsoft Documentation.
  • Go to Actions and find HTTP Webhook.
  • Use the copied Webhook URL created in the first step as an HTTP Post URL,
  • Add Content-Type: application/json header,
  • Click Add dynamic content, and use the dynamic content from your trigger in your response’s post body “MachineName”.
    {"result":{"host": "MachineName"}}