Listen to this Post

Introduction:
In modern cybersecurity, knowing what you have is the first step in protecting it. Exposure Management has emerged as a critical discipline, focusing on continuously identifying, classifying, and assessing an organization’s attack surface. A new integration within the Maester security framework for Microsoft Defender now specifically targets a common gap in this process: assets languishing in classification limbo, waiting for manual approval and leaving organizations unknowingly exposed.
Learning Objectives:
- Understand the critical role of asset classification in Microsoft Defender’s security posture.
- Learn how to install, configure, and authenticate the Maester framework to run security checks.
- Master the commands to execute the new MT.1085 check and automate the remediation of unclassified assets.
You Should Know:
1. The Foundation: Installing the Maester PowerShell Module
Before you can pinpoint unclassified assets, you need the right tools. Maester is a community-driven PowerShell module designed to audit and harden your Microsoft security configurations.
`Verified PowerShell Command: Install the Maester Module`
Install the Maester module from the PowerShell Gallery Install-Module -Name Maester -Force -Repository PSGallery Import the module into your current session Import-Module Maester
Step-by-step guide:
This command connects your PowerShell session to the public PowerShell Gallery repository and downloads the latest version of the Maester module. The `-Force` parameter ensures a clean install, overwriting any previous versions. Importing the module makes its functions, like Get-MaesterCheck, available for use in your current session. Always ensure your PowerShell execution policy allows script installation (e.g., Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser).
2. Gaining Access: Authenticating with Microsoft Entra ID
Maester requires delegated permissions to read security data from your Microsoft Defender and Entra ID tenants. Authentication is handled via the modern MSAL-based `MgGraph` module.
`Verified PowerShell Command: Connect to Microsoft Graph`
Connect to Microsoft Graph with the required scopes for Maester Connect-MgGraph -Scopes "SecurityEvents.ReadWrite.All", "User.Read", "Organization.Read.All" Verify your connection and tenant context Get-MgContext
Step-by-step guide:
The `Connect-MgGraph` cmdlet triggers a device authentication flow. You will be prompted to open a browser and enter a code provided by PowerShell to authenticate. The `-Scopes` parameter defines the precise permissions the session requests; `SecurityEvents.ReadWrite.All` is crucial for accessing Defender data. `Get-MgContext` confirms a successful connection and displays the tenant ID and account you are using, which is vital for ensuring you are assessing the correct environment.
3. Running the Check: Executing Maester’s MT.1085
With access granted, you can now execute the specific check for pending asset classifications. This check, identified as MT.1085, queries Defender’s exposure management APIs.
`Verified PowerShell Command: Execute the Asset Classification Check`
Run the specific Maester check for pending asset classification approvals Get-MaesterCheck -CheckId "MT.1085" Alternatively, run all available Maester checks for a comprehensive audit Get-MaesterCheck
Step-by-step guide:
The `Get-MaesterCheck` cmdlet is the workhorse of the framework. By specifying the -CheckId "MT.1085", you target only the new asset classification check. Without an ID, it runs all available checks, providing a broader security assessment. The cmdlet outputs a list of findings, typically including the asset name, its current unclassified state, and a direct link to the approval queue in the Microsoft Defender portal.
- Interpreting the Results: From Console Output to Action
The raw output from Maester is useful, but translating it into a actionable list is key for system administrators and security analysts.`Verified PowerShell & Bash Command: Parse and Format Results`
PowerShell: Capture results and filter for critical pending items $PendingAssets = Get-MaesterCheck -CheckId "MT.1085" | Where-Object {$_.Risk -eq "High"} $PendingAssets | Format-Table AssetName, CurrentLabel, LastSeen -AutoSizeLinux/macOS (if output is saved to JSON): Use jq to parse Assuming you saved the output: maester_output.json cat maester_output.json | jq -r '.[] | select(.CheckId == "MT.1085" and .Risk == "High") | "(.AssetName) is pending classification as (.CurrentLabel)"'
Step-by-step guide:
The PowerShell example stores the results of the MT.1085 check in a variable and then filters for only those assets with a ‘High’ risk designation. It then presents a clean, formatted table. The bash example uses jq, a powerful JSON processor, to parse a saved JSON output file, filtering for the same high-risk items and printing a human-readable string. This enables prioritization of the most critical assets.
5. Automating the Workflow: Scheduling Regular Checks
Security is not a one-time event. Automating this check ensures you are continuously monitoring for new unclassified assets.
`Verified Windows/Linux Command: Schedule a Daily Task`
Windows: Create a scheduled task using PowerShell $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-NoProfile -WindowStyle Hidden -Command <code>"Import-Module Maester; Connect-MgGraph -Scopes 'SecurityEvents.ReadWrite.All'; Get-MaesterCheck -CheckId 'MT.1085' | Export-Csv -Path 'C:\MaesterLogs\MT1085_Log.csv' -NoTypeInformation</code>"" $Trigger = New-ScheduledTaskTrigger -Daily -At 9am Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "Maester_MT1085_Daily_Check" -Description "Daily check for unclassified assets"
Linux: Add a daily cron job Edit the crontab for the current user crontab -e Add the following line to run the check every day at 9 AM (assuming a script is built) 0 9 /path/to/your/maester_mt1085_script.sh
Step-by-step guide:
The Windows command creates a scheduled task that runs a hidden PowerShell window daily at 9 AM. The script inside the task authenticates, runs the check, and appends the results to a CSV log file for historical tracking. The Linux example uses `crontab -e` to edit the user’s cron table, adding a job that executes a shell script at the same time. The shell script would need to contain the necessary authentication and command logic.
6. API-Driven Integration: Querying Directly via Microsoft Graph
For advanced automation and integration into SIEMs or custom dashboards, you can bypass the module and query the underlying Microsoft Graph API directly.
`Verified Bash Command with curl: Direct Graph API Call`
Use curl to directly query Microsoft Graph for security data. Requires a valid Bearer token from an MSAL-based authentication flow. ACCESS_TOKEN="your_access_token_here" curl -H "Authorization: Bearer $ACCESS_TOKEN" \ "https://graph.microsoft.com/v1.0/security/securescores?`$top=1"
Step-by-step guide:
This is a more advanced technique. It uses `curl` to make a RESTful GET request to the Microsoft Graph API endpoint for secure scores. The `Authorization` header containing the Bearer token is mandatory. Obtaining the `ACCESS_TOKEN` programmatically requires a separate OAuth 2.0 device code or client credentials flow. This method provides maximum flexibility but requires robust error handling and token management.
7. Hardening the Classifier: Reducing Future Manual Effort
The ultimate goal is to minimize manual approvals by refining the automatic classification rules. This involves analyzing the assets that consistently require manual review.
`Verified KQL Query for Advanced Hunting`
// Microsoft Defender Advanced Hunting query to find new, unclassified servers DeviceInfo | where Timestamp > ago(7d) | where OnboardingStatus == "Onboarded" | where isempty(DeviceType) or DeviceType == "Unclassified" | project Timestamp, DeviceName, OSPlatform, DeviceType, OnboardingStatus | order by Timestamp desc
Step-by-step guide:
This Kusto Query Language (KQL) query, run in Microsoft Defender’s Advanced Hunting portal, helps you proactively discover the root cause. It looks for devices onboarded in the last week that remain unclassified. By regularly running this query, you can identify patterns—perhaps a specific onboarding script or a new cloud workload—that are not triggering automatic classification rules, allowing you to adjust the policies and reduce the MT.1085 check’s workload over time.
What Undercode Say:
- Visibility is the New Control: The most sophisticated security controls are blind without proper asset inventory. Maester’s MT.1085 check operationalizes exposure management by turning a theoretical best practice into a measurable, actionable task.
- Automation is a Force Multiplier: By scripting these checks and integrating them into daily workflows, security teams shift from reactive firefighting to proactive posture management, ensuring no asset slips through the cracks due to process latency.
This development signifies a maturation of the exposure management market. It’s no longer about just discovering assets; it’s about managing the entire lifecycle, including the governance and approval workflows. Tools like Maester are filling the crucial gap between the raw data produced by platforms like Microsoft Defender and the operational procedures required to act on it. By providing a scriptable, automation-friendly interface, it empowers security teams to codify their security posture and integrate critical checks directly into their CI/CD and SOC workflows.
Prediction:
The integration of granular, automatable checks like MT.1085 will become the standard for cloud security platforms. We predict a future where exposure management will be deeply intertwined with Identity and Access Management (IAM) and DevOps pipelines. Security posture will be continuously verified not by monthly reports, but by real-time, API-driven checks that can block deployments or trigger automated remediation if an asset is found to be non-compliant or unclassified, fundamentally shifting security “left” and “down” into the core of IT operations.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Thomasnaunheim Maester – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


