Tutorial: Extend governance to endpoint remediation

Note

  • We've renamed Microsoft Cloud App Security. It's now called Microsoft Defender for Cloud Apps. In the coming weeks, we'll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

  • Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

Defender for Cloud Apps provides predefined governance options for policies, such as suspend a user or make a file private. Using the native integration with Microsoft Power Automate, you can use a large ecosystem of software as a service (SaaS) connectors to build workflows to automate processes including remediation.

For example, when detecting a possible malware threat, you can use workflows to start Microsoft Defender for Endpoint remediation actions such as running an antivirus scan or isolating an endpoint.

In this tutorial, you'll learn how to configure a policy governance action to use a workflow to run an antivirus scan on an endpoint where a user shows signs of suspicious behavior:

Note

These workflows are only relevant for policies that contains user activity. For example, you can't use these workflows with Discovery or OAuth policies.

If you don't have a Power Automate plan, sign up for a free trial account.

Prerequisites

  • You must have a valid Microsoft Power Automate plan
  • You must have a valid Microsoft Defender for Endpoint plan
  • The Power Automate environment must be Azure AD synced, Defender for Endpoint monitored, and domain-joined

Phase 1: Generate a Defender for Cloud Apps API token

Note

If you have previously created a workflow using a Defender for Cloud Apps connector, Power Automate automatically reuses the token and you can skip this step.

  1. In Defender for Cloud Apps, in the menu bar, select the settings cog settings icon. and select Security extensions.

  2. On the Security extensions page, select the plus button to generate a new API token.

  3. In the Generate new token pop-up, enter the token name (for example, "Flow-Token"), and then select Generate.

    Screenshot of the token window, showing the name entry and generate button.

  4. Once the token is generated, select the copy icon to the right of the generated token, and then select Close. You'll need the token later.

    Screenshot of the token window, showing the token and the copy process.

Phase 2: Create a flow to run an antivirus scan

Note

If you have previously created a flow using a Defender for Endpoint connector, Power Automate automatically reuses the connector and you can skip the Sign in step.

  1. Go to the Power Automate portal and select Templates.

    Screenshot of the main Power Automate page, showing the selection of templates.

  2. Search for Cloud App Security and select Run antivirus scan using Windows Defender upon a Defender for Cloud Apps alert.

    Screenshot of the templates Power Automate page, showing the search results.

  3. In the list of apps, on the row in which Microsoft Defender for Endpoint connector appears, select Sign in.

    Screenshot of the templates Power Automate page, showing the sign-in process.

Phase 3: Configure the flow

Note

If you have previously created a flow using an Azure AD connector, Power Automate automatically reuses the token and you can skip this step.

  1. In the list of apps, on the row in which Defender for Cloud Apps appears, select Create.

    Screenshot of the templates Power Automate page, showing the Defender for Cloud Apps create button.

  2. In the Defender for Cloud Apps pop-up, enter the connection name (for example, "Defender for Cloud Apps Token"), paste the API token you copied, and then select Create.

    Screenshot of the Defender for Cloud Apps window, showing the name and key entry and create button.

  3. In the list of apps, on the row in which HTTP with Azure AD appears, select Sign in.

  4. In the HTTP with Azure AD pop-up, for both the Base Resource URL and Azure AD Resource URI fields, enter https://graph.microsoft.com, and then select Sign in and enter the admin credentials you want to use with the HTTP with Azure AD connector.

    Screenshot of the HTTP with Azure AD window, showing the Resource fields and sign-in button.

  5. Select Continue.

    Screenshot of the templates Power Automate window, showing the completed actions and continue button.

  6. Once all the connecters are successfully connected, on the flow's page under Apply to each device, optionally modify the comment and scan type, and then select Save.

    Screenshot of the flow page, showing the scan setting section.

Phase 4: Configure a policy to run the flow

  1. In Defender for Cloud Apps, select Control, and then select Policies.

  2. In the list of policies, on the row where the relevant policy appears, choose the three dots at the end of the row, and then choose Edit policy.

  3. Under Alerts, select Send alerts to Flow, and then select Run antivirus scan using Windows Defender upon a Defender for Cloud Apps alert.

    Screenshot of the policy page, showing the alerts settings section.

Now every alert raised for this policy will initiate the flow to run the antivirus scan.

You can use the steps in this tutorial to create a wide range of workflow-based actions to extend Defender for Cloud Apps remediation capabilities, including other Defender for Endpoint actions. To see a list of predefined Defender for Cloud Apps workflows, in Power Automate, search for "Cloud App Security".

See also