[Feature] Add additional methods to MDE module

[jujaakko]

Is your feature request related to a problem? Please describe.
In some cases, a host-type entity in the incident does not contain either MDE ID or proper FQDN. As a result, the MDE module returns no results, even though the device (host) in the incident is onboarded to MDE. An example, for which the MDE module doesn't return any information:

Describe the solution you'd like

The MDE module could obtain for example aadDeviceId using KQL (module) and fetch the information from the MDE API using this identifier. The KQL query could be something like this :

DeviceInfo
| where AadDeviceId has "DeviceName" | project AadDeviceId | take 1

and the API call would be something like this:

https://api.securitycenter.microsoft.com/api/machines?$filter=aadDeviceId eq AadDeviceId

[briandelmsft]

@jujaakko I like this idea, I see in your sample KQL you are doing a take 1, my concern here is ensuring we find the right device since there could be more than one device with the right name. I'm thinking we have to put in some more logic here.

If we have an FQDN try to match on the FQDN first
if not fail back to hostname
If more than one match then find the one that's most recently communicated or filter our devices that haven't communicated in x days, if there's multiple devices that have recently communicated with the same name I think we may just need to fail intentionally since we don't really know which device is the correct one

[briandelmsft]

@piaudonn do you think we should provide an option to disable this enrichment via host name?

[jujaakko]

I agree, that would be a problem, this was just the first idea that came to me. Your logic sounds like a good option.

Maybe one solution could be that if there's multiple devices with same name, just make the MDE API query for each of them and return all values? As a user, I think I'd rather have all the information at hand than nothing all. Though this might mess up with the scoring?

[briandelmsft]

@jujaakko I'll provide a link to the build and instructions early next week as soon as I've tested the build

[briandelmsft]

@jujaakko the build with this functionality is now published. To update, simply repoint your function app to: https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.8/stat.zip

To repoint the function app, locate the function app in the Azure portal and in the menu click 'Environment variables', click the variable WEBSITE_RUN_FROM_PACKAGE and change the value to https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.8/stat.zip. Click Apply and then restart the function app