Microsoft 365 Defender Integration

Step 1: Create Webhook for Microsoft 365 Defender

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button on the upper right corner,

  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

  • Select " Microsoft 365 Defender Webhook Parser" as the parser for this webhook,

  • Select an Acquisition Profile when Microsoft 365 activates this webhook,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button.

  • Copy the Webhook URL for Step 2.

Step 2: Setting up Power Automate

  • Log in to Power Automate.

  • Go to My Flows on the left-hand pane.

  • Click New Flow and Automated Cloud Flow

  • Give an explanatory Flow Name, select Microsoft Defender ATP as the flow’s trigger and create it.

  • Set up your alert conditions according to Microsoft Documentation.

  • Go to Actions and find HTTP Webhook.

  • Use the copied Webhook URL created in the first step as an HTTP Post URL,

  • Add Content-Type: application/json header,

  • Click Add dynamic content, and use the dynamic content from your trigger in your response’s post body “MachineName”.

    {"result":{"host": "MachineName"}}

Last updated