By default, Microsoft Defender Advanced Threat Protection (MDATP) sends out emails when new alerts occur. However, what if we want to extend alerting beyond email?
In this post I will show you how we can use Microsoft Flow to extend the reporting capabilities of MDATP. We will send out Push Notifications (via the Flow app) as well as text messages (SMS).
Lets start with the Microsoft Flow portal (https://flow.microsoft.com). Sign in and select My Flows.
- Click on New and select Automated – from blank.
- Give it a name and search for Windows Defender ATP in the trigger field.
- Select Triggers when a Windows Defender ATP alert occurs and click Create.
Note: You might have to activate the connector first because it is a Premium connector. More info on the connectors capabilities can be found here.
Once you have created the basic flow, we want to fill it with life. First, I chose to gather more info of the alert and find out on which machine it occurred. Then I put that data into the push notification. You can see the flow I created in the screenshot below. At this time, it only sends out a push notification to the Microsoft Flow app (Android & iOS), no SMS yet. To receive the notification on a device, you have to sign in to the app with the same account that created the flow. Because we added the steps Get single alert and Get single machine, we are able to include more detailed information in the notification like Computer name and a direct link to the alert. You are free to set the notification text to whatever you feel is impactful like alert category, description or title.
We have several options for sending out text messages from Microsoft Flow. I chose TeleSign merely because it was the very first entry and registration is free with 5$ starting balance, more than enough for testing. When using this flow in a production environment you should compare the different vendors and buy what fits your needs. You can see the list of SMS providers below.
When selecting TeleSign SMS we are prompted to create a connection between Microsoft Flow and TeleSign. To do so, we have to enter a Customer ID and an API Key into Flo . If you do not already have an account, go to https://portal.telesign.com/signup and complete the registration. Once done, go to your account settings and copy both the Customer ID and the Api key into Microsoft Flow. This has to be done only once for the initial setup.
Now all we have to do is fill in the data for SMS to be send. We can again use any data from the alert.
And that is it. We have extended the MDATP reporting from email to Push Notifications and SMS.
This is what it looks like on the mobile device. The Link Investigate takes us directly to the alert in the MDATP portal.
To reduce alert fatigue, I recommend to filter out informational or maybe even low severity alerts. I will show how this can be done in a different blog post.