| | | Aktualisiert am:27. May 2019 0

Extending MDATP Alerting – Sending Text Messages (SMS) and Push Notifications

By default, Microsoft Defender Advanced Threat Protection (MDATP) sends out emails when new alerts occur. However, what if we want to extend alerting beyond email?

In this post I will show you how we can use Microsoft Flow to extend the reporting capabilities of MDATP. We will send out Push Notifications (via the Flow app) as well as text messages (SMS).

Lets start with the Microsoft Flow portal (https://flow.microsoft.com). Sign in and select My Flows.

  1. Click on New and select Automated – from blank.
  2. Give it a name and search for Windows Defender ATP in the trigger field.
  3. Select Triggers when a Windows Defender ATP alert occurs and click Create.

Note: You might have to activate the connector first because it is a Premium connector. More info on the connectors capabilities can be found here.

Push Notification

Once you have created the basic flow, we want to fill it with life. First, I chose to gather more info of the alert and find out on which machine it occurred. Then I put that data into the push notification. You can see the flow I created in the screenshot below. At this time, it only sends out a push notification to the Microsoft Flow app (Android & iOS), no SMS yet. To receive the notification on a device, you have to sign in to the app with the same account that created the flow. Because we added the steps Get single alert and Get single machine, we are able to include more detailed information in the notification like Computer name and a direct link to the alert. You are free to set the notification text to whatever you feel is impactful like alert category, description or title.

A screenshot of a Flow to send out a Push Notification when an alert occurs in MDATP.

SMS

We have several options for sending out text messages from Microsoft Flow. I chose TeleSign merely because it was the very first entry and registration is free with 5$ starting balance, more than enough for testing. When using this flow in a production environment you should compare the different vendors and buy what fits your needs. You can see the list of SMS providers below.

A screenshot of the SMS providers in Microsoft Flow

When selecting TeleSign SMS we are prompted to create a connection between Microsoft Flow and TeleSign. To do so, we have to enter a Customer ID and an API Key into Flo . If you do not already have an account, go to https://portal.telesign.com/signup and complete the registration. Once done, go to your account settings and copy both the Customer ID and the Api key into Microsoft Flow. This has to be done only once for the initial setup.

A screenshot of the TeleSign Connector setup in Microsoft Flow

 

Now all we have to do is fill in the data for SMS to be send. We can again use any data from the alert.

A screenshot of the TeleSign SMS connection in Microsoft Flow

User Experience

And that is it. We have extended the MDATP reporting from email to Push Notifications and SMS.

This is what it looks like on the mobile device. The Link Investigate takes us directly to the alert in the MDATP portal.

A screenshot of a locked android phone with two notifications from MDATPA screenshot of the Android Flow app with an alert from MDATP

 

 

 

 

 

 

 

 

 

 

 

 

Next steps:

To reduce alert fatigue, I recommend to filter out informational or maybe even low severity alerts. I will show how this can be done in a different blog post.