Listen to this Post
Microsoft Defender for Endpoint (MDE) is a powerful security platform, but managing it at scale requires automation. MDEAutomator is a PowerShell module developed over four years to streamline MDE operations, particularly for large environments (20Kβ4M endpoints). This tool leverages the MDE Live Response API as a Remote Monitoring and Management (RMM) solution, enabling SecOps teams to execute actions programmatically.
Key Features of MDEAutomator
Authentication & Utility
– `Connect-MDE` β Establishes a secure connection to MDE.
– `Get-AccessToken` β Retrieves authentication tokens for API access.
– `Invoke-WithRetry` β Handles API retries automatically.
– `Get-SecretFromKeyVault` β Securely fetches credentials from Azure Key Vault.
Core Operations
– `Get-Machines` β Lists all monitored endpoints.
– `Get-Actions` β Retrieves pending or completed actions.
– `Get-MachineActionStatus` β Checks the status of executed actions.
Live Response Actions
– `Invoke-UploadLR` β Uploads files to an endpoint via Live Response.
– `Invoke-PutFile` / `Invoke-GetFile` β Manages file transfers.
– `Invoke-LRScript` β Executes PowerShell scripts remotely.
– `Get-LiveResponseOutput` β Retrieves script execution results.
Response Actions
– `Invoke-MachineIsolation` / `Undo-MachineIsolation` β Quarantines or releases endpoints.
– `Invoke-RestrictAppExecution` β Blocks untrusted applications.
– `Invoke-FullDiskScan` β Triggers a deep malware scan.
– `Invoke-CollectInvestigationPackage` β Gathers forensic data.
Threat Intelligence (IOC Management)
– `Invoke-TiFile` / `Undo-TiFile` β Manages file-based Indicators of Compromise (IoCs).
– `Invoke-TiIP` / `Undo-TiIP` β Controls IP-based IoCs.
– `Invoke-TiURL` / `Undo-TiURL` β Handles malicious URL blocking.
You Should Know: Practical Implementation
1. Setting Up MDEAutomator
Ensure you have:
- Azure Function Apps (EP1 Plan recommended).
- Azure Key Vault for secret management.
- PowerShell 7+ installed.
Installation
Install from PowerShell Gallery Install-Module -Name MDEAutomator -Force -AllowClobber Import the module Import-Module MDEAutomator Connect to MDE Connect-MDE -TenantId "your-tenant-id" -ClientId "your-app-id" -ClientSecret (Get-SecretFromKeyVault -VaultName "mde-secrets")
2. Running Live Response Commands
Execute a script on a remote machine:
$MachineId = (Get-Machines -Name "Workstation01").id Invoke-LRScript -MachineId $MachineId -Script "Get-Process | Export-Csv -Path C:\temp\processes.csv" Get-LiveResponseOutput -MachineId $MachineId -ActionId "last-action-id"
3. Isolating a Compromised Endpoint
Invoke-MachineIsolation -MachineId $MachineId -Comment "Containment due to ransomware detection"
4. Scanning for Malware
Invoke-FullDiskScan -MachineId $MachineId
5. Collecting Forensic Data
Invoke-CollectInvestigationPackage -MachineId $MachineId -OutputPath "\fileserver\forensics\"
What Undercode Say
MDEAutomator bridges the gap between MDEβs GUI and large-scale automation. Key takeaways:
– Use Azure Functions for scalable API interactions.
– Leverage Live Response as an RMM for remote management.
– Automate IoC deployment for rapid threat containment.
Additional Useful Commands
Linux (Defender for Endpoint)
Check MDE status mdatp health Trigger scan mdatp scan full Check detected threats mdatp threat list
Windows (PowerShell for MDE)
List all MDE alerts Get-MdeAlert -Top 100 Check device vulnerabilities Get-MdeMachineVulnerability -MachineId "device-id"
Expected Output:
A fully automated MDE workflow with:
- Remote script execution.
- Automated threat containment.
- Forensic data collection.
For more details, check the GitHub repository (when released).
This article provides actionable insights for SecOps teams managing MDE at scale. If you’re working with Defender for Endpoint, MDEAutomator is a must-explore tool. π
References:
Reported By: 59852820r9f Mdeautomator – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
