Hunt devices with local admin account using the MDE API and Azure Automation

In this post, I will share an Azure Automation runbook allowing you to run KQL query on MDE to list devices with local admin account and send mail alert.

The solution

- Use a runbook in Azure Automation

- It runs KQL query on MDE

- It gets all devices with local admin

- A mail is sent with list of devices

- The runbook is scheduled

The mail notification

See below an overview of the mails notif:

In the CSV you will get info as below:

Get script

Click on the below GitHub picture to get the scripts.

You will find:

- Assign_permissions.ps1: script to add permissions to the MI

- Runbook.ps1: the Azure Automation runbook

What does the script ?

The script proceeds as below:

1. Authenticate to the managed identity

2. Run KQL query on DeviceLogonEvents table in MDE

For each devices found:

3. Run KQL query on DeviceEvents table in MDE to get date when the account has been created

4. Get info about the device in Intune

5. Get info about the device in EntraID

6. Get info about the device in Autopilot

7. Gather all info

8. Save info in CSV

9. Send the CSV by mail

Creating automation account

Purpose: here we will create the automation account that will be used to run the script to send data.

1. Go to Azure

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription, resource group and region

6. Go to the Advanced tab

7. Select System assigned

7. Click on Create

Setting Managed Identity

Use this part only if the managed identity is not already configured.

When you configure the managed identity, a new Azure Enterprise application will be created.

This one will be used to authenticate to our tenant and do API calls.

For that we will proceed as below:

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

Adding module

Purpose: here we need to add modules to authenticate to Graph and send  mail.

Use this part only if you want to send info by mail.

1. Go to your automation account

2. Click on Modules gallery

3. Import the following modules:

- Microsoft.Graph.Authentication

- Microsoft.Graph.Security

- Microsoft.Graph.Users.Actions

Adding permissions

Purpose: in order to be able to list Azure applications and send mail we need to add permissions to our managed identity.

We need the following permissions:

- ThreatHunting.Read.All

- Mail.Send

We will proceed as below:

1. Edit the Assign_permissions.ps1 script

2. Modify variable $TenantID and $DisplayNameOfMSI

3. Run the script

Editing the script

Purpose: here we will modify the runbook script to adapt it to our needs regarding the mail notification.

We will proceed as below:

1. Edit the Runbook.ps1 script

2. Modify the following variables:

Creating the Runbook

Purpose: here we will create the script that run the KQL query remotely.

1. Click on Create a runbook

2. Type a name

3. In Runbook type, select PowerShell

4. Click on Create

5. Copy the Runbook.ps1

6. Click on Save

7. Click on Publish