Microsoft Defender for Endpoint
We’re back with another edition of Automate your SOC with Microsoft STAT. Today we’re going to discuss the Microsoft Defender for Endpoint module (MDEModule). This module can retrieve a few pieces of information that can enrich your incident.
The module can return the risk level and exposure level from MDE from the machines, the user or the IP address.
Like the Azure AD module, we need to discuss what risk level and exposure level mean.
The risk level is based on a combination of factors, including the types and severity of active alerts on the device. The exposure level is based on the pending security recommendations. These recommendations could be anything from a software update to a configuration change like “Enable ‘Block third party cookies’“.
Like the other modules, you can add comments to the incident for additional context. And you also have the option to decide how far back into the Sentinel DeviceLogonEvents table you want to look for information. You can look back from 1-90 days. I set this to three days, but your mileage may vary.
Module Return Properties
| Property | Description |
|---|---|
| AnalyzedEntities | Number of entities analyzed in the module |
| UsersHighestRiskScore | The highest risk score found for all machines of a specific user |
| UsersHighestExposureLevel | The highest exposure level found for all machines of a specific user |
| IPsHighestExposureLevel | The highest risk score level found for all machines with a specific IP |
| IPsHighestRiskScore | The highest exposure level found for all machines with a specific IP |
| HostsHighestExposureLevel | The highest risk score level found for all hosts matching the MdatpDeviceId or the FQDN |
| HostsHighestRiskScore | The highest exposure level found for all hosts matching the MdatpDeviceId or the FQDN |
| ModuleName | The internal Name of the Playbook |
| DetailedResults | An array of the accounts and IPs analyzed |
Scoring the MDE Module
If you want to score the Defender for Endpoint module, the devices risk score will be calculated from the UsersHighestRiskScore, HostsHighestRiskScore and IPsHighestRiskScore values from the MDE module.
If ScorePerItem=True, the 3 values will be added together to calculate the risk score, otherwise only the highest value will be returned.
| MDE HighestRiskScore | Score |
|---|---|
| High | 10 |
| Medium | 5 |
| Low | 3 |
| Informational | 1 |
Check out our previous posts in this series
Let’s automate your SOC – Introduction to automating your Microsoft Sentinel
Automate your SOC – Let’s talk about STAT, baby – Introduction and installation of Microsoft STAT Triage
Automate your SOC – Noise is the enemy of speed – How to optimize your incidents
Automate your SOC – Risky Business – Giving your incidents a risk score
Automate your SOC – Oh, that user again? – Enrich your incident with by checking user’s SignIn Risk
Automate your SOC – Is there anything else going on? – Looking at related alerts
