This article will describe how to create security tasks in Intune from MDATP to take action on exploits.
Situation:
- Azure AD Joined MEM Intune managed devices
- Devices are enrolled in Microsoft Defender Advanced Threat Protection
- We have vulnerabilities and outdated applications with exploits (discovered in MDATP) on which we need to take action
Target:
- We wanna log our MDATP security recommendations into a security task in MEM – Intune to take action
Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft’s robust cloud service:
- Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
- Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.
More info here.
1. Create a task from the Microsoft Defender Advanced Threat Protection dashboard.
MDATP is an amazing tool when it comes to security. In my Microsoft 365 projects it already helped me a lot with discovering outdated and unpatched applications that we needed to take action on urgently. But it also shows all vulnerabilities that your machines have. We can now sort of create a ‘ticket’ from MDATP to show up in MEM Intune (Security Tasks), so we know which actions we have to take. It’s an easy way of having control over what you have to do to avoid those vulnerabilities. It’s a logging mechanism, a sort of ticketing system as to say, and once you use it, you’ll see how useful it can be. Navigate to the Microsoft Defender Security Center. Go to the Threat and Vulnerability Management dashboard.
On the right side you see all security recommendations MDATP spawns. Let’s take action on the ‘Update Chrome’ issue. Click on it. A new blade will pop up. Click on ‘Remediation options’.
This will again open a new blade. Make sure you check the ‘Open a ticket in Intune’ box. You can choose a ‘Priority’ yourself. Set a due date to give yourself a deadline to take action. Add notes to help you remediate the issue in MEM Intune. Click on ‘Submit request’.
You’ll see a confirmation if all went well.
2. Accept the task in MEM – Intune.
Navigate to the Microsoft Endpoint Manager admin center, go to ‘Endpoint Security’ and click on ‘Security tasks’. You can see there that we have 1 security task waiting for us. The one we just created from MDATP.
Click on the ‘Update Chrome’ task. This will give you a brief summary on what you have to do to remediate this issue. Let’s accept the task also.
After accepting the task, it becomes active.
Now you take actions on whatever it is you have to do to remediate this issue. In case of this example you’ll have to update Chrome to the latest version. After updating it you can complete your security task.
After your devices get the updated Chrome, your organisation exposure score will drop down. And that is what we wanna achieve!
You can make security tasks for all sorts of security recommendations and they will also give you the remediation options. The only thing still bothering me is they don’t tell you how to configure it with configuration profiles or custom OMA-URI. They tell you how to do it with GPO’s or with registry. Maybe that will change in the future. Example:
Happy testing!
More articles on MDATP:
