Managing MDE device groups with a Logic App

By Gianni Castaldi

You can use KQL in MDE to hunt for new threats or to create custom detections, but there is also a third option. You could use your advanced hunting queries in Logic Apps, to automate actions. Bear in mind there is an API limit at the time of writing. The limit is set to 100 calls per 60 seconds.

In this blog, I will show a KQL query to tag devices, based on their public and client IP address. We will also create device groups so they will be populated with devices based on the tags we assign from the Logic App. In the KQL we will only tag devices that are not in a device group. You could also match the device group to the group from the KQL and if it is not equal then remove the tag and assign a new one.

The KQL exists out of 9 steps:

  • Get the logon events within the timeframe
  • Get the device information within the timeframe
  • Get the device network information within the timeframe
  • Join the 3 together
  • Show all items where the MachineGroup (device group) is empty
  • Parse the network information
  • Parse the OS type based on client version
  • Show all distinct items
  • Set the group column based on the client and public IP
// Create the value for the Lookback period
let LookBack1H = ago(1h);
// Get all the signins in the timeframe
let Logons1H =
| where Timestamp > LookBack1H
| where LogonType in ("Interactive", "RemoteInteractive", "CachedInteractive","CachedRemoteInteractive")
| where ActionType == "LogonSuccess"
// Get all device information
let DeviceInfomation =
| where Timestamp >= LookBack1H
// Get all network information
let DeviceNetworkInformation = 
| where Timestamp >= LookBack1H
// Join all information
Logons1H | join DeviceInfomation on DeviceId
| join DeviceNetworkInformation on DeviceId
// Select all items where the device group is empty
| where isempty(MachineGroup)
// Parse the network information
| extend IPList=parse_json(IPAddresses)
| mv-expand IPList
| where NetworkAdapterStatus =~"Up"
| extend ClientIP = tostring(IPList.IPAddress), ClientSubnet = toint(IPList.SubnetPrefix), ClientAddressType = tostring(IPList.AddressType)
| where ClientSubnet <= 32
| where ClientIP !hasprefix "169.254."
// Parse the OS type based on the client version
| extend OperatingsystemType = case(ClientVersion hasprefix "10.3720.16299.2", "Windows Server", "Windows Client")
// Show all distinct items
| distinct DeviceId, DeviceName, PublicIP, ClientIP, ClientSubnet, ClientAddressType, OperatingsystemType
// Set the Group column based on the client and public IP
| extend Group = case(parse_ipv4(PublicIP) between ( parse_ipv4("").. parse_ipv4("")) and 
                      parse_ipv4(ClientIP) between ( parse_ipv4("").. parse_ipv4("")),"DataCenter01",
                      parse_ipv4(PublicIP) between ( parse_ipv4("").. parse_ipv4("")) and 
                      parse_ipv4(ClientIP) between ( parse_ipv4("").. parse_ipv4("")),"DataCenter02",

To use Logic Apps you need a resource group to create the Logic App in. Once you have created the Logic App you can open the Logic App designer and start with a blank Logic App.

The next step is adding a trigger, for this blog I have created a recurring trigger, that runs every hour. If you expect more devices in an hour or you have a lot of devices you want to tag, then set the time frame to 60 seconds.

After that, we will add the MDE advanced hunting query action. The first time you add an MDE action to a Logic App you have to grant consent. Look for “defender” in the search bar and scroll down to the advanced hunting action. Add the KQL in the query field.

The final step in the Logic App is to tag devices with the group from the KQL query. Look in the MDE group for the action with “tag” in the name. And add the values so the devices can be tagged with the right group.

After finishing the action save an run the Logic App. If it has finished successfully al steps should be green.

Once the devices have the tags, we create the groups with the tags. To do this we go to the MDE portal, go to Settings, and select Device Groups under Permissions. There you click Add device group and target the systems based on the tags from the KQL. Do not forget to set the approval level according to your design. My personal preference would be to at least automate all temp folder actions. That is why I select “Semi – require approval for non-temp folders”.

After saving the device group, it will take a couple of minutes before it is populated.

Alternative Text

By Gianni Castaldi

MVP | NinjaCat | Researching and Engineering Cyber Security @ KustoWorks

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.