During a recent customer engagement, I was asked whether the it would be possible to add additional information to the Alert email that is send out by Windows Defender ATP when a new alert occurs. @RagoReady from Microsoft gave me a good hint to look into Microsoft Flow and the Windows Defender ATP connector.
When you enable Alert Notifications within the Windows Defender ATP portal, subscribed users get an alert email that looks as shown in the example below.
There is no option within the Windows Defender ATP portal to change the content of this e-mail, however you can create a custom e-mail notification with additional information using Microsoft Flow.
Microsoft Flow + Windows Defender ATP
Open the Microsoft Flow portal https://flow.microsoft.com and select My Flows, then select New, Create from blank
Search for Windows Defender and then select the Trigger Triggers when a Windows Defender ATP alert occurs
Then select Sign-in, here you need to provide an account that has access to Windows Defender ATP.
Unless someone else in the organization already used the Flow connector, you will be prompted to allow the Windows Defender ATP App to access your data.
Next click on the + sign to insert a new step. Select Windows Defender ATP and then Get single alert (preview)
Then add Alert ID
Next click on the + sign to insert a new step, Select Windows Defender ATP and then Get single machine (preview) and select Alert Machine ID
And finally, we configure the email to be send. Select + to add a new step and select Office 365 outlook
Select the action send an email
Fill in the recipients e-mail addresses in the to field and define the email subject as shown in the example below.
Next, we can customize the body, you can add any Alert or machine information that originates from the alert. I have created an email template that resembles the look and feel of the original email alert. This template includes additional Alert and machine information.
You can copy the html code from here:
https://gist.github.com/alexverboon/ad2e37d3cc21065f235abd995c59a7bd
or at the end of this blog post.
Finally, select the advanced options and make sure that is HTML is set to Yes
The flow is now complete and we’re ready to test it. Select Test
Before you continue, make sure you have access to the Windows Defender ATP portal and a client that is registered in Windows Defender ATP to run a simulation command.
Select I’ll perform the trigger action, then select Save & Test
Within the Windows Defender ATP portal, select the ? link in the portal toolbar and select Simulations and Tutorials, then select Copy Simulation script
Logon to a test machine that is registered in Windows Defender ATP and run the simulation script and wait for Defender ATP to trigger the alert.
Once the alert is triggered, the test should complete.
If all worked fine, you now have a new custom Windows Defender ATP email alert in your inbox.
I hope you enjoyed this blog post, as always, feel free to comment.
Alex