Using Defender for Endpoint API and Power Automate
I recently detailed:
Using defender for Endpoint API and PowerShell
to produce this type of output
which is all well and good but does lack some flexibility when it comes to output as well as being something you need to manually initiate. There is way to deliver more using Power Automate.
To do this you’ll still need to complete the initial steps from the previous article and create an Azure AD app in the destination tenant and save the access information. This basically allows access to the destination tenant to extract data. However, now, rather than embedding that sensitive information inside a public script and having the credentials ‘in the open’, they can be securely stored in Azure Key Vault. This will provide a secure repository for the Azure AD app credentials while still allowing them to be readily accessible by service like Power Automate. To use Azure Key Vault you will need a paid Azure subscription.
In a nutshell, we want to create a basic Flow in Power Automate like that shown above. In this case it is initiated manually but it could just as easily be triggered on a schedule using the Recurrence action in Flow. Next, the required parameters are grabbed from the Azure Key Vault.
When you are building this Flow, if you see a dialog like shown above, it means you don’t have a Power Automate license that includes the ability to use Premium connectors like Azure Key Vault and HTTP. Licensing the Power Platform is beyond the scope of this article but, if you see that dialog you’ll probably need to purchase a stand alone license of Power Automate to gain access to the required premium connectors.
You construct the HTTP action as shown above, using the parameters from the Azure Key Vault to access the Azure AD app via the API URL:
https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine
that will return a list of vulnerabilities exactly like the PowerShell script did in JSON format.
After parsing the JSON output from the HTTP action that executes the API request, the results are mapped to a simple SharePoint list as shown.
Thanks to the magic of SharePoint, you get results that look like the above, which is vulnerabilities by machine, or
vulnerabilities by severity above, thanks to the ability to easily sort lists in SharePoint.
You’ll also notice that conditional column formatting has been applied to to highlight the severity. Yet another benefit SharePoint lists provide.
So the basis of all of this is an Azure AD app with the appropriate permissions inside a tenant that you wish to obtain information from. From there you can use an API request using PowerShell or Power Automate or whatever, to pull the desired information. The easily way to format that information is to send the results to SharePoint, as done here, to slice and dice as well as display the information any way you want.
This output could as easily have been sent to Power BI, Power Apps, an email, or any other service in Microsoft 365. That’s the benefit of using the Power Platform and things like Flow to get the information. Now the possibilities are endless.
A few important point to note about this:
1. You are in control of the permissions and credentials for obtaining the information using the API. You are not surrendering or trusting these to a third party to access the source data.
2. Credentials are save in Azure Key vault which ensure they are secure and access is controlled by you.
3. You can use this technique with just about any API to import information. All you need is the API URL and the appropriate permissions inside the Azure AD app.
4. You can extract information from multiple tenants into a single source tenant if you wish, you are not limited to just pulling information from the tenant where the Flow was created.
5. The extracted data can be mapped to any Microsoft 365 service. Here it was to SharePoint as that is the easiest, but it could just as well be sent to any Microsoft 365 service. This provides a huge amount of flexibility.
6. You can modify, enhance, extend, etc the Flow at any stage to suit any changing needs.
7. The Flow and the process it executes lives inside you Microsoft 365 tenant and is subject to all the compliance and security options that Microsoft provides here.
8. You can trigger the data extraction to happen on a scheduled basis of your choice with Flow easily.
I see lots and lots of benefits of using this process to regularly pull information from any tenant on just about anything and report it in what ever way you wish. It puts you in control of the whole process, and most importantly, the security of executing this, which in a world moving to zero trust, is a huge benefit.
Hopefully, this will inside you to start playing around with the possibilities when it comes to API and Power Automate.
Originally published at http://blog.ciaops.com on June 17, 2021.
