Defender for Endpoint: Some Essential Queries That You Must Use Right Now!

Overview

Being an Intune administrator means that in addition to managing and deploying endpoints, you are also somewhat responsible for ensuring that they continue to comply to the security standards set forth by your company.

Likewise, you may have heard a lot about utilizing Microsoft Defender for Endpoint to construct logic apps and do threat-hunting queries, and you may want to give those a shot as well. Excellent! Starting off with some field notes, I’ve included a few use cases that you should also try or implement to gain a better grasp of your devices and their security posture.

The Need

Proactively detecting and eliminating advanced threats via threat hunting is becoming increasingly important for many organizations and is actually a time consuming task. However, you may set up rules that automatically adjust to your security policies in accordance with the most recent threat information.

There are many ways to achieve this automation, like:

Automating SIEM/EDR/ATP queries
Use runbooks for automation of incidents
Use Logic apps
Automate queries & reports using Power Automate & PowerApps
Create dashboards using Power BI

Now, let’s get into some threat-hunting ideas to look for and build some simple must have queries.

Devices Not Onboarded to MDE

It is quite common in any environment to have endpoints that have not been successfully onoarded to defender for endpoint. Such devices are shown as “can be onoarded” in recommendations. Logging into your Defender admin portal and verifying the list on daily basis can be a daunting task. However you can easily automate this by scheduling a report of such devices using Power Automate or Logic Apps.

I am using Power Automate for this and the configuration is as below:

Sign in to Power Automate.
Select My flows > New flow > Scheduled cloud flow.

In the fields next to Starting, specify the date and time when your flow should start.
In the fields next to Repeat every, specify the flow’s recurrence.
Select Create.
Select Recurrence > Show advanced options and configure the schedule.

Choose Microsoft Defender Advance Hunting for the new step and type your query:

Create a CSV to export all the results from the query.

Schedule the report.

Local Admin Report

This is one of the most common requirements and you can easily use KQL query in the Advanced Hunting to create & schedule a report for machines having users added as local admin to them.

DeviceLogonEvents
| where Timestamp >= ago(7d)
| where IsLocalAdmin == true

| summarize count() by DeviceName, AccountName,LogonType
| sort by AccountName

Hunting For Legacy Authentication

Basic authentication has been depreciated so it’s time to hunt down the applications and clients with Basic Authentication and switch to newer authentication methods.

SigninLogs
| where ClientAppUsed !in ("Mobile Apps and Desktop clients", "Browser")
| where isnotempty(ClientAppUsed)
| evaluate pivot(ClientAppUsed, count(), UserPrincipalName)

You can easily automate a daily report using it in Power Automate.

If you are using Microsoft Defender for Endpoint for your Android Enterprise and iOS devices then there are certain configurations required in defender portal to avoid unnecessary alerts on end-users devices.

Whitelist Your Trusted Root Certificate

If you are deploying trusted root certificates on your enterprise devices then you might receive alerts in defender portal for “Suspicious certificates installed on one endpoint”. Since these devices are corporate owned devices and have your root certificate installed then you can classify these alerts as false positive i.e. detected and identified as malicious even though the entity isn’t actually a threat.

Only apps/programs signed with the exact signed certificate uploaded as indicator are affected. Do not expect to upload a root certificate and all sub certificates will be handled the same.

The full chain of trust for the certificate must be valid and either be trusted through a root certificate in the Microsoft Trusted Root Program or the root certificate must be present in the Trusted Root Certification Authorities store.

To do so, the steps are as below:

Select Settings > Endpoints > Indicators (under Rules) in the navigation pane.
Select Add indicator.

Specify the following details:
- Indicator – Specify the entity details and define the expiration of the indicator.
- Action – Specify the action to be taken and provide a description.
- Scope – Define the scope of the machine group.

Review the details in the Summary tab, then click Save.

Supress iOS/Android Upgrade Notifications

If you have configured software update deferral policies for your iOS & Android Enterprise devices then you might observe that the end users are ntofied to update iOS update notifications in Defender for Endpoint app. And this causes confusion and a bad user experience.

To avoid these notifications on end user’s devices, you simply need to create an exception for iOS Upgrade in Defender portal. The process is pretty simple- select the security recommendation for iOS update and then select Exception options and fill out the form.

These are merely a few extremely simple instances, and the list is by no means complete. You can engage in a wide variety of approaches and methods when hunting. As you begin to evaluate your environment and choose the types of approaches and data you can use, your hunting maturity will increase.