Azure playbook for automatic evidence collection.
Current playbook only includes MDE live response for Windows systems.
ParrotForce uses connections to Azure Sentinel and Microsoft 365 Defender to function. The following API permissions need to be present in your managed identity that connects to Azure Sentinel and Microsoft 365 Defender:
- AdvancedQuery.Read.All
- Alert.Read.All
- File.Read.All
- Machine.CollectForensics
- Machine.LiveResponse
By default, the Logic App of the template is configured on “Consumption” plan type, hence pricing will only occur upon workflow execution.
Click on the button to deploy automatically to your Azure Subscription
- Login to Azure Portal
- In the top bar search for "template" and select
Deploy a custom templateto start the deployment - Select the
Build your own template in the editorto manually import ParrotForce - Click
Load Fileand select thedeployazure.jsonfile to deploy ParrotForce - Click Save and assign ParrotForce to your Resource Group and Subscription of your choice.
- Add folder to your repository
- Revalidate all connections, Sentinel, MDATP for all corresponding blocks. It's advised to use managed identity as much as possible.
- Upload needed files inside MDATP/MDE library (typically make a live response session). By default: trident.ps1, winpmem.exe.
- https://github.com/nov3mb3r/trident (ps1 not signed by default)
- https://github.com/Velocidex/WinPmem