Automated machine tagging in just a few simple steps...
Published Jan 05 2019 11:58 PM 21.1K Views
Microsoft

...or how simple it is to use the Windows Defender ATP APIs

 

The new year offers a (somewhat) fresh start, giving us the opportunity to reflect on the past year about the good things, how could we have done better, and how new insights can carry over as resolutions for the coming year. In the world of security operations, particularly triage and prioritization, we might ask ourselves two key questions:

  • Are all machines created equal?
  • And what about users, should security operations center (SOC) analysts treat them all the same?

If you answered any of these questions with a “no”, then this blog post is for you! And even if you have answered “yes”, we still recommend you continue reading—it might help you spark some new and innovative ideas.

 

SOC life in a world of tags

Imagine a world where your machines are all tagged with unique attributes:

  • Functional or task-oriented tags: accounting, finance devices, network edge servers, kiosk, shared machine, reception desk
  • Ownership tags: Red team (i.e., “No need to panic. John is testing his tool… again.”), C-level (i.e., “It is the right time to start panicking!”)

With all machines tagged, your SOC analyst can triage alerts more efficiently. Proactive threat hunting can be more focused and can be done with fewer, simpler steps.

All this goodness is now possible with Windows Defender ATP APIs and you certainly don’t need to be a top-notch developer to get this done!

 

Step 1: Find C-level machines

Let’s identify the machines owned by your CEO and other C-level users.

You can always do this by integrating with an external system that manages your assets. But a simpler way would be to check where your C-level users are active by running the following query on Windows Defender ATP advanced hunting:

 

DeviceLogonEvents
| where Timestamp > ago(7d)
| where LogonType in ("Interactive", "RemoteInteractive", "CachedInteractive","CachedRemoteInteractive")
| summarize InteractiveLoginCount = count(LogonType) by DeviceId, DeviceName, AccountName
| where InteractiveLoginCount > 0
| summarize (InteractiveLoginCount, AccountName) = argmax(InteractiveLoginCount, AccountName) by DeviceId, DeviceName
| where AccountName in ("CEO-user", "CFO-user", "CTO-user") // Replace these with values relevant to your org :smiling_face_with_smiling_eyes:
| distinct DeviceId

 

Try running the query to validate it. Once validated, you now have a quick and easy way to identify the C-level machines. Let’s see how we can use this further.

 

Step 2: Automate machine finding

Let’s automate the finding and tagging of C-level machines. For this blog, we’ll use Microsoft Flow to talk to the APIs, but do note that you can get similar results with other tools like Logic Apps.

 

Create a new flow

Sign in to Microsoft Flow and create a new flow from blank. We will walk you through configuring the flow so that it automatically runs the advanced hunting query and tags the machines returned by the query.

   tag1.png

     

Define the trigger

Use the built-in Recurrence trigger to set the flow to run at regular intervals.

   

tag2.png

    

 

Set the flow to run every Sunday, ensuring new C-level machines are tagged weekly.

   

tag3.png

    

 

 

Add “Advance Hunting” as the first action

To keep things simple, we’ve provided a dedicated action type for advanced hunting. Add this as the first action of your flow.

   

tag4.png

    

Paste the query you have validated in step 1.

   

tag5.png

    

 

 Add “Tag Machine” as the second action

   

tag6.png

       

 

For ID of the machine, use dynamic content MachineID as shown below. Specify your preferred tag (in this example, we use “Executive”) and set the action to Add.

   

tag7.png

      

Step 3 — Test your flow

Before running a test, ensure your flow has the three steps shown below and click Save.

 

    tag8.png

     

 

When ready, simply click Test to trigger the flow. Select I’ll perform the trigger action when prompted.

  

tag9.png

     

 

After running the test, validate whether your tags have been applied. Go to the Windows Defender ATP portal and check for tags on one of your C-level machines.

 

And we are done!

Let’s summarize what we have learned:

  • We helped the SOC analyst in their alert triage process by adding organizational context and knowledge to the machines.
  • We scheduled a regular flow that keeps the tags in sync automatically.
  • We learned how easy it is to leverage Windows Defender ATP APIs and achieve more.

Would you like to share an example or two describing your own experiences applying the Windows Defender ATP APIs?

Don’t be shy. Send us a smiley face feedback via the portal, and we’ll take care of the rest!

 

 

tag10.png

  

Thank you!

Windows Defender ATP team

13 Comments
Version history
Last update:
‎Jun 16 2020 10:55 PM
Updated by: