Microsoft Defender for Endpoint Dashboard - mattnovitsch/M365 GitHub Wiki
Summary
I’ve been working with Microsoft Defender for Endpoints for about a month with my customers as it has suddenly been a very hot topic for them. Since I have only read about it and not had any hands on experience I figured it was time to throw it up in my lab. It was deployed, great now what? I then started to pull data from the API and created several pages off the system. This dashboard will provide you with your endpoint health status in the security portal, provide you with CVE vulnerabilities, and provide you with details on threats per endpoint. This information is pulled directly from the Microsoft Security API for your tenant. The pages include:
- ATP-Overview
- ATP- Application Inventory
- CVEVulnerabilities
- ATP - Hunting
- ATP - Unhealthy Endpoints
- ATP - High Risk Endpoints
Prerequisites
- PowerBI Desktop x64 or Power BI Report Server
- Power BI Pro License (if you want to publish for others in your organization to see)
- MDE Dashboard
- Turn on Diagnostic Settings(optional)
Steps
- Open MDE Dashboard. Note: This will take a few minutes as its building the local database to generate the dashboards.
- Select any data set from the Fields column on the right and select Edit Query.
- Click AADSignons on the left hand side where it says Queries then select Advance Editor at the top.
- Open the first PowerBIQuery.txt file you saved from the Azure AD Signon Logs..
- Copy all the content and paste it in the Advance Editor then click done.
- Note: there is a GUID that changes per workspace in here.
- Click AADSignon-Noninteractive on the left hand side where it says Queries then select Advance Editor at the top.
- Open the second PowerBIQuery.txt file you saved from the Azure AD Signon Logs..
- Copy all the content and paste it in the Advance Editor then click done.
- Note: there is a GUID that changes per workspace in here.
- Click Close & Apply when finished.
Once the data has been refreshed you should see something like these.
- Note: There is a unhealthy Endpoint page that I was not able to populate due to the fact that it requires loading viruses and malware on the system and I'm sure Microsoft Security wouldn't like that much.