You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Solutions/MicrosoftDefenderForEndpoint/Playbooks/Restrict-MDEFileHash/Restrict-MDEFileHash-alert-trigger/azuredeploy.json
Copy file name to clipboardExpand all lines: Solutions/MicrosoftDefenderForEndpoint/Playbooks/Restrict-MDEFileHash/Restrict-MDEFileHash-entity-trigger/azuredeploy.json
"description": "This playbook will take the triggering FileHash entity and generate an alert and block threat indicator for the file hash in MDE for 90 days.",
7
-
"prerequisites": "- **For Gov Only** \n\n You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api) \n\n - You will need to grant Ti.ReadWrite permissions and assign Microsoft Sentinel Reader to the resource group for the managed identity. Run the following code replacing the managed identity object id, subscriptionId and resource group. You find the managed identity object id on the Identity blade under Settings for the Logic App. \n\n ```powershell \n\n $MIGuid = '<Enter your managed identity guid here>' \n\n $SubscriptionId = '<Enter your subsciption id here>' \n\n $ResourceGroup = '<Enter your resource group here>' \n\n $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid \n\n $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92' \n\n $PermissionName = 'Ti.ReadWrite' \n\n $RoleName = 'Microsoft Sentinel Responder' \n\n $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter \"appId eq '$MDEAppId'\" \n\n $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} \n\n New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id \n\n New-AzRoleAssignment -ObjectId $MIGuid -RoleDefinitionName $RoleName -Scope /subscriptions/$SubscriptionId/resourcegroups/$ResourceGroup \n\n ```",
8
-
"postDeployment": ["Assign Playbook Microsoft Sentinel Responder Role",
9
-
"1. Select the Playbook (Logic App) resource",
10
-
"2. Click on Identity Blade",
11
-
"3. Choose System assigned tab",
12
-
"4. Click on Azure role assignments",
13
-
"5. Click on Add role assignments",
14
-
"6. Select Scope - Resource group",
15
-
"7. Select Subscription - where Playbook has been created",
16
-
"8. Select Resource group - where Playbook has been created",
17
-
"9. Select Role - Microsoft Sentinel Responder",
18
-
"10. Click Save (It takes 3-5 minutes to show the added role.)"],
19
-
"prerequisitesDeployTemplateFile": "",
20
-
"lastUpdateTime": "2023-02-26T00:00:00Z",
21
-
"entities": [
22
-
"FileHash"
23
-
],
24
-
"tags": [
25
-
"Remediation"
6
+
"description": "This playbook will take the triggering FileHash entity and generate an alert and block threat indicator for the file hash in MDE for 90 days. It will also add a comment to the incident with the file hash and action taken.",
7
+
"prerequisites": "",
8
+
"postDeployment": [
9
+
"- **For Gov Only** \n\n You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api) \n\n - You will need to grant Ti.ReadWrite permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App. \n\n ```powershell \n\n $MIGuid = '<Enter your managed identity guid here>' \n\n $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid \n\n $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92' \n\n $PermissionName = 'Ti.ReadWrite' \n\n $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter \"appId eq '$MDEAppId'\" \n\n $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} \n\n New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id \n\n ```",
10
+
"Assign Playbook Microsoft Sentinel Responder Role",
11
+
"1. Select the Playbook (Logic App) resource",
12
+
"2. Click on Identity Blade",
13
+
"3. Choose System assigned tab",
14
+
"4. Click on Azure role assignments",
15
+
"5. Click on Add role assignments",
16
+
"6. Select Scope - Resource group",
17
+
"7. Select Subscription - where Playbook has been created",
18
+
"8. Select Resource group - where Playbook has been created",
19
+
"9. Select Role - Microsoft Sentinel Responder",
20
+
"10. Click Save (It takes 3-5 minutes to show the added role.)",
21
+
"[click here for detail instructions](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/Playbooks/Restrict-MDEFileHash/readme.md)"
26
22
],
23
+
"prerequisitesDeployTemplateFile": "",
24
+
"lastUpdateTime": "2025-08-01T00:00:00Z",
25
+
"entities": ["FileHash"],
26
+
"tags": ["Remediation"],
27
27
"support": {
28
-
"tier": "community",
28
+
"tier": "Microsoft",
29
29
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
"message": "<p>An AlertAndBlock request has been sent to the security centre API for file with hash: @{triggerBody()?['Entity']?['properties']?['Value']}. Note that the expiration time on this is 90 days.<br>\nThe response from the API was: @{outputs('HTTP_Alert_and_Block_Sha1')['statusCode']}</p>"
"message": "<p class=\"editor-paragraph\">An AlertAndBlock request has been sent to the security centre API for file with hash: @{triggerBody()?['Entity']?['properties']?['Value']}. Note that the expiration time on this is 90 days.<br>The response from the API was: @{outputs('HTTP_Alert_and_Block_Sha1')?['statusCode']} @{outputs('HTTP_Alert_and_Block_Sha256')?['statusCode']}</p>"
0 commit comments