Endpoint With Missing Agents : Identifying And Managing Security Gaps

Endpoint security is crucial for protecting organizations from cyber threats. However, managing endpoint agents can be challenging, especially when devices are missing critical security software.

This article explores how to identify and manage endpoints with missing agents using tools like Microsoft Defender for Endpoint and Intune.

Challenges With Endpoint Agents

• Device Discovery and Agent Installation: Identifying which devices should have specific endpoint agents installed is a significant challenge.
  • This involves understanding the security policy requirements for different types of devices and ensuring the correct agents are installed.
• Reporting and Response: While tools like Intune provide reporting on Windows Defender’s health and status, there is no automatic response for devices with issues.
  • This means manual intervention is often required to address problems like outdated signatures or pending scans.

Tools For Identifying Missing Agents

1. Microsoft Defender for Endpoint:
   • Advanced Hunting: This feature allows you to create custom queries using Kusto Query Language (KQL) to identify devices missing specific agents. You can filter for devices not onboarded or with specific software missing.
   • Custom Detection Rules: These rules enable proactive monitoring of endpoints and can be set to alert when certain conditions are met, such as missing security software.
2. Intune:
   • Device Compliance Reports: Intune provides reports on Windows Defender’s status, including devices with issues like outdated signatures or pending scans. However, these reports do not automatically identify devices missing other types of agents.
   • Software Inventory: Intune can manage software inventory, but it may not always accurately reflect the installation status of all endpoint agents.

Identifying Missing Agents With Queries

To identify devices with missing agents, you can use queries like the following:

textlet targetAgent = "<SOFTWARENAMESTRING>";
let activeDevices = DeviceLogonEvents
| where TimeGenerated > ago(7d)
| where LogonType == "Interactive"
| where AccountDomain =~ "<DOMAIN>"
| distinct DeviceName;

DeviceTvmSoftwareInventory
| where DeviceName in~ (activeDevices)
| summarize Software = tostring(make_set(SoftwareName)) by DeviceName
| where Software !has targetAgent

For multiple agents:

textlet targetAgents = dynamic(["Agent1", "Agent2"]);
let activeDevices = DeviceLogonEvents
| where TimeGenerated > ago(7d)
| where LogonType == "Interactive"
| where AccountDomain == "<DOMAIN>"
| distinct DeviceName;

DeviceTvmSoftwareInventory
| where DeviceName in~ (activeDevices)
| summarize Software = make_set(SoftwareName) by DeviceName
| extend MissingAgents = set_difference(targetAgents, Software)
| project-away Software

Identifying endpoints with missing agents is crucial for maintaining robust security.

By leveraging tools like Microsoft Defender for Endpoint and Intune, organizations can proactively manage security gaps and ensure all devices are adequately protected.

Regular monitoring and custom queries can help identify and address issues before they become significant security risks.