KQL Search

Query Details

HomeAI ToolsDevice Query

Hunt Mdi Not Installed

Query

# *Hunt for Defender for Identity not installed but eligible*

## Query Information

#### MITRE ATT&CK Technique(s)

N/A

#### Description
This query shows you which servers are eligible for Defender for identity but does not have the Defender for Identity agent installed. The query seach the eligible servers via Defender for Endpoint (requirement for this query to work), and is based on the server roles that MDE recongnizes. 

#### Risk
If not alle eligible servers are onboarded in Defender for Identity, you have a detection gap.


#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- N/A


## Defender XDR
```KQL
let device_roles = dynamic(["EntraConnectServer", "AzureADConnectServer", "ActiveDirectoryCertificateServicesServer", "DomainController", "ADFS"]);
let mdi_servers = (
    DeviceTvmSoftwareInventory
    | where SoftwareName == "azure_advanced_threat_protection_sensor"
    | distinct MdiDeviceName=tolower(DeviceName)
);
let mdi_eligible_servers = (
    ExposureGraphNodes
    | extend DeviceRoles= parse_json(NodeProperties)["rawData"]["deviceRole"]
    | extend CriticalityRuleNames = parse_json(NodeProperties)["rawData"]["criticalityLevel"]["ruleNames"]
    | where DeviceRoles has_any (device_roles) or
        CriticalityRuleNames has_any (device_roles)
    | distinct NodeName=tolower(NodeName), tostring(DeviceRoles), tostring(CriticalityRuleNames)
);
mdi_servers
| join kind=rightouter mdi_eligible_servers on $left.MdiDeviceName == $right.NodeName
| extend Issue = iff(isempty(MdiDeviceName), "This server is eligible for MDI but does not have MDI installed", "None")
| where Issue != "None"
```

## Sentinel
```KQL
N/A
```

Explanation

This query is designed to identify servers that are eligible for Microsoft Defender for Identity (MDI) but do not have the MDI agent installed. It works by leveraging data from Microsoft Defender for Endpoint (MDE) to determine which servers should have MDI based on their roles. Here's a simple breakdown of how the query works:

  1. Define Eligible Roles: It starts by defining a list of server roles that are eligible for MDI, such as Domain Controllers and Azure AD Connect Servers.

  2. Identify Installed MDI Agents: It checks the inventory of software on devices to find those that already have the MDI agent installed.

  3. Find Eligible Servers: It then identifies servers that are eligible for MDI based on their roles or criticality levels, as recognized by MDE.

  4. Compare and Identify Gaps: The query compares the list of eligible servers with those that have the MDI agent installed. If a server is eligible but does not have the agent, it flags this as an issue.

  5. Output: The result is a list of servers that should have MDI installed but currently do not, highlighting a potential security gap.

This helps organizations ensure that all necessary servers are protected by MDI, reducing the risk of undetected security threats.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: June 23, 2025

Tables

DeviceTvmSoftwareInventoryExposureGraphNodes

Keywords

Devices

Operators

letdynamictolowerdistinctparse_jsonhas_anyextendtostringjoinkindrightouteroniffisemptywhere

Actions