MDEAutomator: Open-source endpoint management, incident response in MDE
Managing endpoints and responding to security incidents in Microsoft Defender for Endpoint (MDE) can be time-consuming and complex. MDEAutomator is an open-source tool designed to make that easier.
MDEAutomator is a modular, serverless solution for IT and security teams looking to save time and reduce manual work. By using Azure Function Apps and a custom PowerShell module, MDEAutomator automates tasks like deploying MDE to new devices and responding to alerts, without needing to manage extra infrastructure.
Key features
- Portable PowerShell module
- Bulk automation of MDE response actions and live response actions
- Bulk management of MDE threat indicators (IOCs)
- Designed for multi-tenant use cases
- Secretless App Registration/UMI auth + manual $SPNSECRET flexibility
- Ability to deliver key configuration settings via PowerShell that are not available in Endpoint Security Profiles
- Automated daily Threat Hunting for all onboarded tenants
- Custom Detection syncronization & management with Azure Storage
- Convenient upload of endpoint packages/files to Azure Storage
- Simplified management of Defender incidents
Key parts of MDEAutomator
MDEAutomator is made up of several tools that work together to automate tasks in Microsoft Defender for Endpoint. Each part has a specific job that helps security teams save time and respond to threats faster.
PowerShell Module
At the heart of MDEAutomator is a custom PowerShell module. It includes a wide range of commands (called cmdlets) for managing Defender for Endpoint. These let users handle tasks like setting up authentication, running live response actions, managing detection rules, and working with threat indicators. It also supports advanced searches using Defender’s hunting features.
MDEAutomator Orchestration Platform
This is the main system that runs behind the scenes. It’s serverless, meaning there’s no need to manage infrastructure. It can push PowerShell scripts to Defender-managed devices, run live response commands across many endpoints at once, and automate large-scale actions.
Threat Intelligence Manager
This part manages threat indicators such as file hashes, IP addresses, domains, and code signing certificates. It automates how these indicators are added, updated, or removed. It can also sync custom detection rules from Azure Blob Storage, with built-in version control and checks to make sure the rules are valid before deploying them.
Action Manager
Action Manager keeps track of the actions being taken across devices in Defender for Endpoint. It also includes a safety switch that can stop all pending actions in case something needs to be rolled back quickly.
Hunt Manager
This tool helps with threat hunting. It supports both manual and scheduled hunts, manages queries, and automatically saves results to Azure Blob Storage for further review.
Incident Manager
Incident Manager is a central place to view and manage Defender XDR incidents. It also tracks comments and updates related to each incident, helping teams stay coordinated during a response.
MDEAutomator is available for free on GitHub.
Must read:
- GitHub CISO on security strategy and collaborating with the open-source community
- Don’t let these open-source cybersecurity tools slip under your radar
- 33 open-source cybersecurity solutions you didn’t know you needed
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!