This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 3%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi,
we are trying to create isolate machine Sentinel incident playbook but we only get error message 404 resource not found when running it. Is it possible to use that playbook if machine accounts are synced from on-premise ad or does it need something else when comparing to Azure joined machine accounts?
~ Jukka ~
This is our playbook:
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Entities_-_Get_Hosts": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel-1']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Condition": {
"actions": {
"Actions_-_Isolate_machine": {
"inputs": {
"body": {
"Comment": "@{items('For_each')}isolated",
"IsolationType": "Full"
},
"host": {
"connection": {
"name": "@parameters('$connections')['wdatp']['connectionId']"
}
},
"method": "post",
"path": "/api/machines/@{encodeURIComponent(items('For_each'))}/isolate"
},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Not isolated</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel-2']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@triggerBody()?['object']?['properties']?['additionalData']",
"@null"
]
}
}
]
},
"type": "If"
}
},
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel-1']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel-1": {
"connectionId": "/subscriptions/9a9ef173-982c-4128-b1ef-bf34dc839a7f/resourceGroups/JeduSentinelRG/providers/Microsoft.Web/connections/azuresentinel-1",
"connectionName": "azuresentinel-1",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "/subscriptions/9a9ef173-982c-4128-b1ef-bf34dc839a7f/providers/Microsoft.Web/locations/westeurope/managedApis/azuresentinel"
},
"azuresentinel-2": {
"connectionId": "/subscriptions/9a9ef173-982c-4128-b1ef-bf34dc839a7f/resourceGroups/JeduSentinelRG/providers/Microsoft.Web/connections/azuresentinel-2",
"connectionName": "azuresentinel-2",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "/subscriptions/9a9ef173-982c-4128-b1ef-bf34dc839a7f/providers/Microsoft.Web/locations/westeurope/managedApis/azuresentinel"
},
"wdatp": {
"connectionId": "/subscriptions/9a9ef173-982c-4128-b1ef-bf34dc839a7f/resourceGroups/JeduSentinelRG/providers/Microsoft.Web/connections/wdatp",
"connectionName": "wdatp",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "/subscriptions/9a9ef173-982c-4128-b1ef-bf34dc839a7f/providers/Microsoft.Web/locations/westeurope/managedApis/wdatp"
}
}
}
}
}
and error body
{
"error": {
"code": "ResourceNotFound",
"message": "Machine {\"dnsDomain\":\"domain.local\",\"hostName\":\"machine-account\",\"azureID\":\"50a233cc-1677-4656-82ec-xxxxxxxxxxxx\",\"osFamily\":\"Windows\",\"osVersion\":\"22H2\",\"additionalData\":{\"MdatpDeviceId\":\"d0630829a535d8fe909ffccef9866axxxxxxxxxx\",\"DeviceDnsName\":\"machine-account.domain.local\",\"RiskScore\":\"medium\",\"HealthStatus\":\"active\",\"OsBuild\":22621,\"FirstSeenDateTime\":\"2023-06-01T05:18:35.1397063+00:00\",\"RbacGroupName\":\"UnassignedGroup\",\"DefenderAvStatus\":\"notSupported\",\"OnboardingStatus\":\"onboarded\",\"LoggedOnUsers\":\"System.Collections.Generic.List`1[Microsoft.Azure.Sentinel.MicrosoftGraph.Mtp.Contracts.Entities.LoggedOnUser]\"},\"friendlyName\":\"machine-account\",\"Type\":\"host\"} was not found.",
"target": "|734d197e-40999cdaxxxxxxxx."
}
}
Got this working by using link below
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-MDE-Isolate-Machine
Maybe share some screen shots of your logic app for better understanding. The JSON source is hard to read. I recommend looking at the Content Hub and Sentinel GitHub repo for similar examples. These examples can often clarify something you may have overlooked. I am certain this has been done before.
I assume you are calling the Defender for Endpoint isolation capability. If that is the case, on-prem or AD credentials are not involved. Possibly the target systems have not been onboarded to MDE. Also, you probably need to pass the MDE Device ID for isolation. Without looking closer, I assume the Sentinel entity might have the device ID. If not, you need to run an additional enrichment to get the ID. For example, a query to MDE advanced hunting logs.
Some screenshots. Target system have been onboarded to MDE. Target system also has mdatpdeviceid in sentinel alert and in logic app error message
I´m quite newbie with Sentinel but yes if i am not wrong i´m calling Defender for Endpoint isolation. I can isolate devices from Microsoft Defender manually now