Automate your SOC – Rise of the machine (risk)

Microsoft Defender for Endpoint

We’re back with another edition of Automate your SOC with Microsoft STAT. Today we’re going to discuss the Microsoft Defender for Endpoint module (MDEModule). This module can retrieve a few pieces of information that can enrich your incident.

The module can return the risk level and exposure level from MDE from the machines, the user or the IP address.

Like the Azure AD module, we need to discuss what risk level and exposure level mean.

The risk level is based on a combination of factors, including the types and severity of active alerts on the device. The exposure level is based on the pending security recommendations. These recommendations could be anything from a software update to a configuration change like “Enable ‘Block third party cookies’“.

Like the other modules, you can add comments to the incident for additional context. And you also have the option to decide how far back into the Sentinel DeviceLogonEvents table you want to look for information. You can look back from 1-90 days. I set this to three days, but your mileage may vary.

Module Return Properties

PropertyDescription
AnalyzedEntitiesNumber of entities analyzed in the module
UsersHighestRiskScoreThe highest risk score found for all machines of a specific user
UsersHighestExposureLevelThe highest exposure level found for all machines of a specific user
IPsHighestExposureLevelThe highest risk score level found for all machines with a specific IP
IPsHighestRiskScoreThe highest exposure level found for all machines with a specific IP
HostsHighestExposureLevelThe highest risk score level found for all hosts matching the MdatpDeviceId or the FQDN
HostsHighestRiskScoreThe highest exposure level found for all hosts matching the MdatpDeviceId or the FQDN
ModuleNameThe internal Name of the Playbook
DetailedResultsAn array of the accounts and IPs analyzed

Scoring the MDE Module

If you want to score the Defender for Endpoint module, the devices risk score will be calculated from the UsersHighestRiskScore, HostsHighestRiskScore and IPsHighestRiskScore values from the MDE module.

If ScorePerItem=True, the 3 values will be added together to calculate the risk score, otherwise only the highest value will be returned.

MDE HighestRiskScoreScore
High10
Medium5
Low3
Informational1

Check out our previous posts in this series

Let’s automate your SOC – Introduction to automating your Microsoft Sentinel

Automate your SOC – Let’s talk about STAT, baby – Introduction and installation of Microsoft STAT Triage

Automate your SOC – Noise is the enemy of speed – How to optimize your incidents

Automate your SOC – Risky Business – Giving your incidents a risk score

Automate your SOC – Oh, that user again? – Enrich your incident with by checking user’s SignIn Risk

Automate your SOC – Is there anything else going on? – Looking at related alerts

Leave a Reply