MDE Automator Home - msdirtbag/MDEAutomator GitHub Wiki

MDEAutomator

MDEAutomator is a modular, serverless solution for endpoint management and incident response in Microsoft Defender for Endpoint (MDE) environments. It leverages Azure Function Apps and a custom PowerShell module to orchestrate large MDE deployments, automate response actions, and manage threat indicators at scale.

Core Components

  • MDEAutomator PowerShell Module
    Cmdlets for authentication, device management, live response, response actions, and threat indicator management in MDE.

  • Azure Function Apps

    • MDEDispatcher: Bulk management of response actions.
    • MDEOrchestrator: Bulk management of Live Response commands.
    • MDEProfiles: Bulk delivery of custom PowerShell scripts to endpoints.
    • MDETIManager: Management of Threat Indicators in MDE.

Key Features

  • Bulk automation of MDE response and live response actions
  • Bulk management of MDE threat indicators (IOCs)
  • Multi-tenant support
  • Azure Key Vault secret management
  • Upload endpoint packages/files to Azure Storage
  • Robust error handling and retry logic

Prerequisites

  • Entra ID Service Principal (App Registration) with required API permissions
  • SPN Secret stored securely (Azure Key Vault recommended)
  • Unsigned Script Execution & Live Response enabled in MDE Advanced Settings

Quick Start

  1. Install the Module

    Install-Module -Name MDEAutomator -AllowClobber -Force
Import-Module -Name MDEAutomator -ErrorAction Stop -Force

  2. Authenticate

    # Using SecureString for SPN Secret
$token = Connect-MDE -SpnId "<AppId>" -SpnSecret (Read-Host -AsSecureString) -TenantId "<TenantId>"

# Or using Azure Key Vault
$token = Connect-MDE -SpnId "<AppId>" -keyVaultName "<KeyVaultName>"

  3. Common Operations

    # List all onboarded and active devices
Get-Machines -token $token

# Isolate a device
Invoke-MachineIsolation -token $token -DeviceIds @("<DeviceId>")

# Run a Live Response script
Invoke-LRScript -DeviceIds @("<DeviceId>") -scriptName 'Active.ps1' -token $token

# Block a file hash as a threat indicator
Invoke-TiFile -token $token -Sha256s @("<SHA256>")

Documentation

Security Notes

Warning:
MDEAutomator is a powerful tool. Protect all credentials, scripts, and deployments. Use Azure Key Vault for secret management.

Contributing

We welcome contributions! Please see the Contributing Guidelines for details.

License

This project is licensed under the MIT License.

For more, see the official Microsoft Defender for Endpoint API documentation.

⚠️ **GitHub.com Fallback** ⚠️