-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Add additional methods to MDE module #452
Comments
@jujaakko I like this idea, I see in your sample KQL you are doing a take 1, my concern here is ensuring we find the right device since there could be more than one device with the right name. I'm thinking we have to put in some more logic here. If we have an FQDN try to match on the FQDN first |
@piaudonn do you think we should provide an option to disable this enrichment via host name? |
I agree, that would be a problem, this was just the first idea that came to me. Your logic sounds like a good option. Maybe one solution could be that if there's multiple devices with same name, just make the MDE API query for each of them and return all values? As a user, I think I'd rather have all the information at hand than nothing all. Though this might mess up with the scoring? |
@jujaakko I'll provide a link to the build and instructions early next week as soon as I've tested the build |
@jujaakko the build with this functionality is now published. To update, simply repoint your function app to: To repoint the function app, locate the function app in the Azure portal and in the menu click 'Environment variables', click the variable WEBSITE_RUN_FROM_PACKAGE and change the value to |
Is your feature request related to a problem? Please describe.
In some cases, a host-type entity in the incident does not contain either MDE ID or proper FQDN. As a result, the MDE module returns no results, even though the device (host) in the incident is onboarded to MDE. An example, for which the MDE module doesn't return any information:
Describe the solution you'd like
The MDE module could obtain for example aadDeviceId using KQL (module) and fetch the information from the MDE API using this identifier. The KQL query could be something like this :
DeviceInfo
| where AadDeviceId has "DeviceName" | project AadDeviceId | take 1
and the API call would be something like this:
https://api.securitycenter.microsoft.com/api/machines?$filter=aadDeviceId eq AadDeviceId
The text was updated successfully, but these errors were encountered: