Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment and can protect workloads across multi-cloud and hybrid environments from evolving threats.
This document provides information about the Microsoft Defender For Cloud connector, which facilitates automated interactions, with a Microsoft Defender For Cloud server using FortiSOAR™ playbooks. Add the Microsoft Defender For Cloud Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving details of a specific Auto Provisioning Setting (APS), updating the state of the specific alert, etc.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.3.0-2034
Authored By: Fortinet
Certified: Yes
You can get authentication tokens to access the Microsoft Defender For Cloud APIs using the "On behalf of the User – Delegate Permission. For more information see, Create an app to access Microsoft 365 Defender APIs on behalf of a user article.
TENANT_ID, CLIENT_ID, and REDIRECT_URI with your own tenant ID, client ID, and redirect URI: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=https://management.azure.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URIREDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATEAUTH_CODE (without the "code=" prefix) and paste it in the 'Authorization Code' parameter.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-microsoft-defender-for-cloud
user_impersonation API permission (see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section)For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Microsoft Defender For Cloud connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Enter the Service-based URI to which you will connect and perform the automated operations. |
| Directory (tenant) ID | Enter the ID of the tenant that you have been provided for your Azure Active Directory instance. |
| Application (Client) ID | Enter the unique ID of the Azure Active Directory application that is used to create an authentication token required to access the API. |
| Application (Client) Secret | Enter the unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. |
| Authorization Code | Enter the authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section. |
| Redirect URL | Enter the redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal |
| Subscription ID | Enter your Azure Subscription ID for Microsoft Defender For Cloud. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alert List | Retrieves the list of all the alerts or specific alerts that are associated with the specified subscription, resource groups that are stored in a specific location, and other input parameters you have specified. | get_alert_list Investigation |
| Update Alert | Updates the state of the specific alert based on the alert name, Azure Security Center (ASC) location, and other input parameters you have specified. | update_alert Investigation |
| Get APS | Retrieves details of a specific Auto Provisioning Setting (APS) based on the setting name you have specified. | get_aps Investigation |
| Update APS | Updates a specific APS based on the settings name and auto provisioning setting you have specified. | update_aps Investigation |
| Get ATP | Retrieves the ATP (Advanced Threat Protection) setting details for the specified resource based on the resource ID and other input parameters you have specified. | get_atp Investigation |
| Update ATP | Updates ATP setting details based on the resource group name, storage account, and other input parameters you have specified. | update_atp Investigation |
| Get APS List | Retrieves a list of all the auto provisioning settings for the specified subscription. | get_aps_list Investigation |
| Get Secure Score | Retrieves the secure score for a specific Microsoft Defender for Cloud initiative within your current scope. To get the secure score for the ASC 'Default' initiative, use 'ascScore'. |
get_secure_score Investigation |
| Get Locations List | Retrieves the location of the responsible Azure Security Center (ASC) for the specific subscription (home region). For each subscription, there is only one responsible location. The location in the response should be used to read or write other resources in ASC according to their ID. | get_locations_list Investigation |
| Get Storage List | Retrieves a list of all the storage accounts available under the subscription. | get_storage_list Investigation |
| Get JIT List | Retrieve the list of all policies or specific policies used to protect resources using Just-in-Time access control based on the resource group name, ASC location, and other input parameters you have specified. | get_jit_list Investigation |
| Get Subscriptions List | Retrieves the list of all subscriptions for the specified tenant. | get_subscriptions_list Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Resource Group Name | Specify the name of the resource group within the specified subscription from which you want to retrieve the alerts. Note: The name is case insensitive |
| ASC Location | Specify the location where Azure Security Center stores the data of the subscription. You can retrieve the Azure Security Center (ASC) locations using the 'Get Locations List' operation. |
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"name": "",
"type": "",
"properties": {
"version": "",
"alertType": "",
"systemAlertId": "",
"productComponentName": "",
"alertDisplayName": "",
"description": "",
"severity": "",
"intent": "",
"startTimeUtc": "",
"endTimeUtc": "",
"resourceIdentifiers": [
{
"azureResourceId": "",
"type": ""
},
{
"workspaceId": "",
"workspaceSubscriptionId": "",
"workspaceResourceGroup": "",
"agentId": "",
"type": ""
}
],
"remediationSteps": [],
"vendorName": "",
"status": "",
"extendedLinks": [
{
"Category": "",
"Label": "",
"Href": "",
"Type": ""
}
],
"alertUri": "",
"timeGeneratedUtc": "",
"productName": "",
"processingEndTimeUtc": "",
"entities": [
{
"address": "",
"location": {
"countryCode": "",
"state": "",
"city": "",
"longitude": "",
"latitude": "",
"asn": ""
},
"type": ""
}
],
"isIncident": "",
"correlationKey": "",
"extendedProperties": {
"Property1": ""
},
"compromisedEntity": "",
"techniques": [],
"subTechniques": [],
"supportingEvidence": {
"type": "",
"title": "",
"columns": [],
"rows": [
[]
]
}
}
}
]
}
| Parameter | Description |
|---|---|
| Alert Name | Specify the name of the alert object whose status you want to update. For example, 2517300056433270383_103cc5be-e568-47f6-8781-6cef0a477f0a |
| Change State To | Select the state that you want to assign to the specified alert. You can choose from the following options: Activate, Dismiss, In Progress, or Resolve. |
| ASC Location | Specify the location where Azure Security Center stores the data of the subscription. You can retrieve the Azure Security Center (ASC) locations using the 'Get Locations List' operation. |
| Resource Group Name | (Optional) Specify the name of the resource group within the specified subscription where you want to update the specified alert. Note: The name is case-insensitive. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Setting Name | Specify the name of the auto provisioning setting whose details you want to retrieve. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"autoProvision": ""
}
}
| Parameter | Description |
|---|---|
| Setting Name | Specify the name of the auto provisioning setting that you want to update. By default, the key (name) is set as 'default'. |
| Auto Provision |
Select the kind of security agent provisioning action you want to take for the security agent. You can choose between On or Off.
|
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"autoProvision": ""
}
}
| Parameter | Description |
|---|---|
| Resource Id | Specify the identifier of the resource for which you want to retrieve Advanced Threat Protection (ATP) setting details. |
| Setting Name | (Optional) Specify the ATP setting name whose details you want to retrieve. By default, the name of the setting is set to 'current'. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"isEnabled": ""
}
}
| Parameter | Description |
|---|---|
| Resource Group Name | Specify the name of the resource group within the specified subscription where you want to update the ATP settings details. |
| Storage Account | Specify the name of the storage in your Azure account where you want to update the ATP settings details. |
| Is Enabled | Select 'True' to enable Advanced Threat Protection and 'False' to disable ATP. |
| Setting Name | (Optional) Specify the ATP setting name that you want to update. By default, the name of the setting is set to 'current'. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"isEnabled": ""
}
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"name": "",
"type": "",
"properties": {
"autoProvision": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Secure Score Name | Specify the score name (initiative name) whose default score you want to retrieve. For the ASC 'Default' initiative, use 'ascScore'. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"displayName": "",
"score": {
"max": "",
"current": "",
"percentage": ""
},
"weight": ""
}
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"name": "",
"type": "",
"properties": {
"homeRegionName": ""
}
}
]
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"kind": "",
"location": "",
"name": "",
"properties": {
"isHnsEnabled": "",
"creationTime": "",
"primaryEndpoints": {
"web": "",
"dfs": "",
"blob": "",
"file": "",
"queue": "",
"table": "",
"microsoftEndpoints": {
"web": "",
"dfs": "",
"blob": "",
"file": "",
"queue": "",
"table": ""
},
"internetEndpoints": {
"web": "",
"dfs": "",
"blob": "",
"file": ""
}
},
"primaryLocation": "",
"provisioningState": "",
"routingPreference": {
"routingChoice": "",
"publishMicrosoftEndpoints": "",
"publishInternetEndpoints": ""
},
"encryption": {
"services": {
"file": {
"keyType": "",
"enabled": "",
"lastEnabledTime": ""
},
"blob": {
"keyType": "",
"enabled": "",
"lastEnabledTime": ""
}
},
"keySource": ""
},
"secondaryLocation": "",
"statusOfPrimary": "",
"statusOfSecondary": "",
"supportsHttpsTrafficOnly": ""
},
"sku": {
"name": "",
"tier": ""
},
"tags": {
"key1": ""
},
"type": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Resource Group Name | Specify the name of the resource group within the specified subscription from which you want to retrieve the JIT list. Note: The name is case-insensitive. |
| ASC Location | Specify the location where Azure Security Center stores the data of the subscription. You can retrieve the Azure Security Center (ASC) locations using the 'Get Locations List' operation. |
The output contains the following populated JSON schema:
{
"value": [
{
"kind": "",
"properties": {
"virtualMachines": [
{
"id": "",
"ports": [
{
"number": "",
"protocol": "",
"allowedSourceAddressPrefix": "",
"maxRequestAccessDuration": ""
}
]
}
],
"requests": [
{
"virtualMachines": [
{
"id": "",
"ports": [
{
"number": "",
"allowedSourceAddressPrefix": "",
"endTimeUtc": "",
"status": "",
"statusReason": ""
}
]
}
],
"startTimeUtc": "",
"requestor": "",
"justification": ""
}
],
"provisioningState": ""
},
"id": "",
"name": "",
"type": "",
"location": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"subscriptionId": "",
"tenantId": "",
"displayName": "",
"state": "",
"subscriptionPolicies": {
"locationPlacementId": "",
"quotaId": "",
"spendingLimit": ""
},
"authorizationSource": "",
"managedByTenants": [
{
"tenantId": ""
}
],
"tags": {
"tagKey1": ""
}
}
],
"nextLink": ""
}
The Sample - Microsoft Defender For Cloud - 1.0.0 playbook collection comes bundled with the Microsoft Defender For Cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Defender For Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment and can protect workloads across multi-cloud and hybrid environments from evolving threats.
This document provides information about the Microsoft Defender For Cloud connector, which facilitates automated interactions, with a Microsoft Defender For Cloud server using FortiSOAR™ playbooks. Add the Microsoft Defender For Cloud Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving details of a specific Auto Provisioning Setting (APS), updating the state of the specific alert, etc.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 7.3.0-2034
Authored By: Fortinet
Certified: Yes
You can get authentication tokens to access the Microsoft Defender For Cloud APIs using the "On behalf of the User – Delegate Permission. For more information see, Create an app to access Microsoft 365 Defender APIs on behalf of a user article.
TENANT_ID, CLIENT_ID, and REDIRECT_URI with your own tenant ID, client ID, and redirect URI: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=https://management.azure.com/.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URIREDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATEAUTH_CODE (without the "code=" prefix) and paste it in the 'Authorization Code' parameter.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-microsoft-defender-for-cloud
user_impersonation API permission (see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section)For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Microsoft Defender For Cloud connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Enter the Service-based URI to which you will connect and perform the automated operations. |
| Directory (tenant) ID | Enter the ID of the tenant that you have been provided for your Azure Active Directory instance. |
| Application (Client) ID | Enter the unique ID of the Azure Active Directory application that is used to create an authentication token required to access the API. |
| Application (Client) Secret | Enter the unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. |
| Authorization Code | Enter the authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section. |
| Redirect URL | Enter the redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_uri's you have registered in your app registration portal |
| Subscription ID | Enter your Azure Subscription ID for Microsoft Defender For Cloud. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Alert List | Retrieves the list of all the alerts or specific alerts that are associated with the specified subscription, resource groups that are stored in a specific location, and other input parameters you have specified. | get_alert_list Investigation |
| Update Alert | Updates the state of the specific alert based on the alert name, Azure Security Center (ASC) location, and other input parameters you have specified. | update_alert Investigation |
| Get APS | Retrieves details of a specific Auto Provisioning Setting (APS) based on the setting name you have specified. | get_aps Investigation |
| Update APS | Updates a specific APS based on the settings name and auto provisioning setting you have specified. | update_aps Investigation |
| Get ATP | Retrieves the ATP (Advanced Threat Protection) setting details for the specified resource based on the resource ID and other input parameters you have specified. | get_atp Investigation |
| Update ATP | Updates ATP setting details based on the resource group name, storage account, and other input parameters you have specified. | update_atp Investigation |
| Get APS List | Retrieves a list of all the auto provisioning settings for the specified subscription. | get_aps_list Investigation |
| Get Secure Score | Retrieves the secure score for a specific Microsoft Defender for Cloud initiative within your current scope. To get the secure score for the ASC 'Default' initiative, use 'ascScore'. |
get_secure_score Investigation |
| Get Locations List | Retrieves the location of the responsible Azure Security Center (ASC) for the specific subscription (home region). For each subscription, there is only one responsible location. The location in the response should be used to read or write other resources in ASC according to their ID. | get_locations_list Investigation |
| Get Storage List | Retrieves a list of all the storage accounts available under the subscription. | get_storage_list Investigation |
| Get JIT List | Retrieve the list of all policies or specific policies used to protect resources using Just-in-Time access control based on the resource group name, ASC location, and other input parameters you have specified. | get_jit_list Investigation |
| Get Subscriptions List | Retrieves the list of all subscriptions for the specified tenant. | get_subscriptions_list Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Resource Group Name | Specify the name of the resource group within the specified subscription from which you want to retrieve the alerts. Note: The name is case insensitive |
| ASC Location | Specify the location where Azure Security Center stores the data of the subscription. You can retrieve the Azure Security Center (ASC) locations using the 'Get Locations List' operation. |
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"name": "",
"type": "",
"properties": {
"version": "",
"alertType": "",
"systemAlertId": "",
"productComponentName": "",
"alertDisplayName": "",
"description": "",
"severity": "",
"intent": "",
"startTimeUtc": "",
"endTimeUtc": "",
"resourceIdentifiers": [
{
"azureResourceId": "",
"type": ""
},
{
"workspaceId": "",
"workspaceSubscriptionId": "",
"workspaceResourceGroup": "",
"agentId": "",
"type": ""
}
],
"remediationSteps": [],
"vendorName": "",
"status": "",
"extendedLinks": [
{
"Category": "",
"Label": "",
"Href": "",
"Type": ""
}
],
"alertUri": "",
"timeGeneratedUtc": "",
"productName": "",
"processingEndTimeUtc": "",
"entities": [
{
"address": "",
"location": {
"countryCode": "",
"state": "",
"city": "",
"longitude": "",
"latitude": "",
"asn": ""
},
"type": ""
}
],
"isIncident": "",
"correlationKey": "",
"extendedProperties": {
"Property1": ""
},
"compromisedEntity": "",
"techniques": [],
"subTechniques": [],
"supportingEvidence": {
"type": "",
"title": "",
"columns": [],
"rows": [
[]
]
}
}
}
]
}
| Parameter | Description |
|---|---|
| Alert Name | Specify the name of the alert object whose status you want to update. For example, 2517300056433270383_103cc5be-e568-47f6-8781-6cef0a477f0a |
| Change State To | Select the state that you want to assign to the specified alert. You can choose from the following options: Activate, Dismiss, In Progress, or Resolve. |
| ASC Location | Specify the location where Azure Security Center stores the data of the subscription. You can retrieve the Azure Security Center (ASC) locations using the 'Get Locations List' operation. |
| Resource Group Name | (Optional) Specify the name of the resource group within the specified subscription where you want to update the specified alert. Note: The name is case-insensitive. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Setting Name | Specify the name of the auto provisioning setting whose details you want to retrieve. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"autoProvision": ""
}
}
| Parameter | Description |
|---|---|
| Setting Name | Specify the name of the auto provisioning setting that you want to update. By default, the key (name) is set as 'default'. |
| Auto Provision |
Select the kind of security agent provisioning action you want to take for the security agent. You can choose between On or Off.
|
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"autoProvision": ""
}
}
| Parameter | Description |
|---|---|
| Resource Id | Specify the identifier of the resource for which you want to retrieve Advanced Threat Protection (ATP) setting details. |
| Setting Name | (Optional) Specify the ATP setting name whose details you want to retrieve. By default, the name of the setting is set to 'current'. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"isEnabled": ""
}
}
| Parameter | Description |
|---|---|
| Resource Group Name | Specify the name of the resource group within the specified subscription where you want to update the ATP settings details. |
| Storage Account | Specify the name of the storage in your Azure account where you want to update the ATP settings details. |
| Is Enabled | Select 'True' to enable Advanced Threat Protection and 'False' to disable ATP. |
| Setting Name | (Optional) Specify the ATP setting name that you want to update. By default, the name of the setting is set to 'current'. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"isEnabled": ""
}
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"name": "",
"type": "",
"properties": {
"autoProvision": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Secure Score Name | Specify the score name (initiative name) whose default score you want to retrieve. For the ASC 'Default' initiative, use 'ascScore'. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"type": "",
"properties": {
"displayName": "",
"score": {
"max": "",
"current": "",
"percentage": ""
},
"weight": ""
}
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"name": "",
"type": "",
"properties": {
"homeRegionName": ""
}
}
]
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"kind": "",
"location": "",
"name": "",
"properties": {
"isHnsEnabled": "",
"creationTime": "",
"primaryEndpoints": {
"web": "",
"dfs": "",
"blob": "",
"file": "",
"queue": "",
"table": "",
"microsoftEndpoints": {
"web": "",
"dfs": "",
"blob": "",
"file": "",
"queue": "",
"table": ""
},
"internetEndpoints": {
"web": "",
"dfs": "",
"blob": "",
"file": ""
}
},
"primaryLocation": "",
"provisioningState": "",
"routingPreference": {
"routingChoice": "",
"publishMicrosoftEndpoints": "",
"publishInternetEndpoints": ""
},
"encryption": {
"services": {
"file": {
"keyType": "",
"enabled": "",
"lastEnabledTime": ""
},
"blob": {
"keyType": "",
"enabled": "",
"lastEnabledTime": ""
}
},
"keySource": ""
},
"secondaryLocation": "",
"statusOfPrimary": "",
"statusOfSecondary": "",
"supportsHttpsTrafficOnly": ""
},
"sku": {
"name": "",
"tier": ""
},
"tags": {
"key1": ""
},
"type": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Resource Group Name | Specify the name of the resource group within the specified subscription from which you want to retrieve the JIT list. Note: The name is case-insensitive. |
| ASC Location | Specify the location where Azure Security Center stores the data of the subscription. You can retrieve the Azure Security Center (ASC) locations using the 'Get Locations List' operation. |
The output contains the following populated JSON schema:
{
"value": [
{
"kind": "",
"properties": {
"virtualMachines": [
{
"id": "",
"ports": [
{
"number": "",
"protocol": "",
"allowedSourceAddressPrefix": "",
"maxRequestAccessDuration": ""
}
]
}
],
"requests": [
{
"virtualMachines": [
{
"id": "",
"ports": [
{
"number": "",
"allowedSourceAddressPrefix": "",
"endTimeUtc": "",
"status": "",
"statusReason": ""
}
]
}
],
"startTimeUtc": "",
"requestor": "",
"justification": ""
}
],
"provisioningState": ""
},
"id": "",
"name": "",
"type": "",
"location": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"value": [
{
"id": "",
"subscriptionId": "",
"tenantId": "",
"displayName": "",
"state": "",
"subscriptionPolicies": {
"locationPlacementId": "",
"quotaId": "",
"spendingLimit": ""
},
"authorizationSource": "",
"managedByTenants": [
{
"tenantId": ""
}
],
"tags": {
"tagKey1": ""
}
}
],
"nextLink": ""
}
The Sample - Microsoft Defender For Cloud - 1.0.0 playbook collection comes bundled with the Microsoft Defender For Cloud connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Defender For Cloud connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.