Closed jujaakko closed 3 months ago
@jujaakko I like this idea, I see in your sample KQL you are doing a take 1, my concern here is ensuring we find the right device since there could be more than one device with the right name. I'm thinking we have to put in some more logic here.
If we have an FQDN try to match on the FQDN first if not fail back to hostname If more than one match then find the one that's most recently communicated or filter our devices that haven't communicated in x days, if there's multiple devices that have recently communicated with the same name I think we may just need to fail intentionally since we don't really know which device is the correct one
@piaudonn do you think we should provide an option to disable this enrichment via host name?
I agree, that would be a problem, this was just the first idea that came to me. Your logic sounds like a good option.
Maybe one solution could be that if there's multiple devices with same name, just make the MDE API query for each of them and return all values? As a user, I think I'd rather have all the information at hand than nothing all. Though this might mess up with the scoring?
@jujaakko I'll provide a link to the build and instructions early next week as soon as I've tested the build
@jujaakko the build with this functionality is now published. To update, simply repoint your function app to: https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.8/stat.zip
To repoint the function app, locate the function app in the Azure portal and in the menu click 'Environment variables', click the variable WEBSITE_RUN_FROM_PACKAGE and change the value to https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.8/stat.zip
. Click Apply and then restart the function app
Is your feature request related to a problem? Please describe. In some cases, a host-type entity in the incident does not contain either MDE ID or proper FQDN. As a result, the MDE module returns no results, even though the device (host) in the incident is onboarded to MDE. An example, for which the MDE module doesn't return any information:
Describe the solution you'd like
The MDE module could obtain for example aadDeviceId using KQL (module) and fetch the information from the MDE API using this identifier. The KQL query could be something like this :
DeviceInfo | where AadDeviceId has "DeviceName" | project AadDeviceId | take 1
and the API call would be something like this:
https://api.securitycenter.microsoft.com/api/machines?$filter=aadDeviceId eq AadDeviceId