Listen to this Post
Microsoft Defender for Endpoint (MDE) is a critical tool for enterprise security, and the MDEAutomator PowerShell module enhances its functionality by automating common tasks. Below are the key features and practical implementations of this module.
Key Functions of MDEAutomator
1. Get-IPInfo
Retrieves threat intelligence on IP addresses from MDE, including alerts, statistics, and hunting data.
Get-IPInfo -token $token -IPs @("1.2.3.4", "5.6.7.8")
2. Get-FileInfo
Extracts file metadata, related alerts, and machine associations using SHA1/SHA256 hashes.
Get-FileInfo -token $token -Sha1s @("a94a8fe5cc...", "b1d5781111...")
3. Get-LoggedInUsers
Lists active or recently logged-in users on monitored devices.
$deviceIds = Get-Machines -token $token | Select-Object -ExpandProperty Id $users = Get-LoggedInUsers -token $token -DeviceIds $deviceIds $users | Format-Table DeviceId, AccountName, LogonTime, LastSeen
4. Invoke-StopAndQuarantineFile
Forces file termination and quarantine across all active devices.
Invoke-StopAndQuarantineFile -token $token -Sha1 "a94a8fe5cc..."
5. Get-Indicators
Fetches custom threat intelligence indicators (IOCs).
Get-Indicators -token $token
You Should Know: Practical Implementation
Installation
Install-Module -Name MDEAutomator
Handling Offline Devices
MDEAutomator uses `Invoke-WithRetry` for API resilience, but offline devices may not recover within the retry window.
Automating Threat Response
Combine these functions to automate IOC hunting and remediation:
Step 1: Fetch suspicious IPs from alerts
$suspiciousIPs = Get-IPInfo -token $token -IPs @("1.2.3.4") | Where-Object { $_.RiskScore -gt 70 }
Step 2: Block malicious IPs via firewall
$suspiciousIPs | ForEach-Object {
New-NetFirewallRule -DisplayName "Block_$($<em>.IP)" -Direction Outbound -Action Block -RemoteAddress $</em>.IP
}
Advanced Hunting with KQL
Use MDE’s Kusto Query Language (KQL) for deeper analysis:
DeviceLogonEvents | where ActionType == "LogonSuccess" | where Timestamp > ago(7d) | summarize LogonCount = count() by AccountName | order by LogonCount desc
What Undercode Say
MDEAutomator bridges the gap between Defender’s GUI and automation, enabling SecOps teams to:
– Reduce manual investigations with scripted IOC lookups.
– Enforce rapid containment via automated file quarantine.
– Enhance visibility through structured user session tracking.
Expected Output:
For a compromised file (`SHA1: a94a8fe5cc…`), running:
Invoke-StopAndQuarantineFile -token $token -Sha1 "a94a8fe5cc..."
Should return:
ActionStatus : Succeeded QuarantinedDevices : 5 FailedDevices : 1 (Offline)
Prediction
As adversaries evolve, expect more PowerShell-based automation tools like MDEAutomator to integrate with AI-driven threat detection, enabling real-time autonomous response.
🔗 GitHub Repo: MDEAutomator
References:
Reported By: Emannon Mdeautomator – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
