Forum Discussion

PeterJInobits's avatar
PeterJInobits
Copper Contributor
Sep 17, 2021

Finding DC's using KQL in and defender fro endpoitns

Hi

This is probably a dumb question but is there a foolproof way to use the telemetry provided by DME to identify DC's? I'm often in a position where we were not involved in the MDE rollout and need to verify that all of the DC's have been onboarded. Also interested in using this approach to automatically tag DC's etc..

 

 

  • PeterJInobits
    MDE by itself can't identify or automatically tag a server by the service it is running (like DC, exchange, sql, etc.)

    After onboarding a server, you would need to manually tag a server in the MDE portal.

Resources