author: Benji Kovacevic & Christos Ventouris (cventour)
This is sample playbook demonstrating how to create Attack Distruption scenario using Logic Apps.
- Create App Registration in Entra ID portal and save Tenant ID, Application ID
- Create and save Secret for App Registration (Note: We always suggest to use Azure Key Vault to save a secret to.)
- Assign AdvancedHunting.Read.All permission to created App Registration (APIs my organization uses -> Microsoft Threat Protection)
- Save Object ID of SOC group from Entra ID
- Create Pan OS API key
Deploy a playbook
- Authorize Microsft Defender for Endpoint, Entra ID, and Microsoft Outlook connections
You can update Hunting query used in Parameters section of Logic App. Please note that you will need to update action Parse JSON with new schema based on Hunting query result, as well as values used from Parse JSON action in the rest of the Logic App.