Requirements

This site describes the requirements to use the script properly.

Infrastructure

Azure Services

You need the following Azure Services for this script:

  • Microsoft Defender (and Advanced Hunting)
  • Azure Automation Account with a PowerShell 7.4 Runtime Enviroment

Asset Management

To use this script properly, you need a centralized Asset Management with at least the following fields:

  • Hostname
  • Serverowner / Serverowneremail

Without these two fields, it is not recommended to use this script (unless one person should get and manage all Planner Tasks). Obviously, you can include any other fields you want!

Office Ressources

This script creates Planner Tasks, so you need at least a Planner Plan. To find the Planner Plan faster, I recommend adding the Plan to a Team.

Here’s how you can create a Planner Plan and add it as a tab to a Team Channel:

create planner plan via teams

  1. search the team
  2. click on the channel
  3. click on the “+” to add a new tab/app
  4. click on planner
  5. create new plan or use an existing plan
  6. save

Permissions

EntraID or Defender Roles

You need one of the following EntraID / Defender roles to be able to run a query in the Advanced Hunting Portal:

  • Global Administrator (EntraID)
  • Security Administrator (EntraID) - recommended
  • Security Operator (EntraID)
  • Microsoft Defender for Endpoint Administrator (Defender)

Rights for automation account

The managed Identity / Service Principal of the automation account needs the following permissions on the ressources:

  • Microsoft Graph
    • User.Read.All
    • Tasks.ReadWrite.All
  • WindowsDefenderATP
    • AdvancedQuery.Read.All
  • Your storage account example
    • Reader
    • Storage Table Data Contributor
    • Custom Role with: Microsoft.Storage/storageAccounts/listkeys/action

You have to add the API permissions to Graph and WindowsDefenderATP API to the “Enterprise App” that has the same name as the automation account. How do I do this?

Example for the custom role’s json and more about the permissions will follow.

PowerShell Modules

Module Name Purpose Version
Microsoft.Graph.Planner creating MS Planner Tasks with MsGraph API 2.26.1
Microsoft.Graph.Authentication authenticating in MsGraph 2.26.1
Microsoft.Graph.Security run Advanced Hunting Queries with MsGraph 2.26.1
Microsoft.Graph.Users get Account Data 2.26.1
AzTable managing Storage Account Tables 2.1.0
Az use other modules and login with a Managed Identity 11.2.0
SVN.PSCore create vulnerability notifications & get vuln. data 1.0

All Az-modules are pre-installed in the Automation Account.