If using Microsoft Defender for Endpoint (MDE) often you need to tag devices according some rules. In the past this was a manual task or you automated it by using the API. Now Microsoft provides a way to tag systems automatically according rules.
Introduction
Microsoft Defender for Endpoint (MDE) is a nice EDR solution. This article assumes that you know already about MDE and that you have onboarded already systems. We will address here the new procedure how you can automate tagging for your devices without using API nor PowerShell scripts or similar.
Tags are used in MDE for different things. One popular way to use tags is to create based on them a device group where you apply specific mitigation rules, eg. by default full mitigation should be done, but on server only remediation on non core folders should be done.
Implementation
Before adding the feature Asset Rule Management you had to add tags for each device manually over the security console.
Now with the feature Asset Rule Management you can create an automation rule to accomplish this task. In our first example we will tag our client systems as Client
.
- Login to https://security.microsoft.com/
- Navigate to
Settings
→Microsoft 365 Defender
→Asset rule management
- Hit button
Create a new rule
- Enter
Tag Client System
for rule name andThis rule tags all client systems as "Client"
for description - Hit
Next
- Create rule condition. Due we want to tag all clients as
Client
we define the rule based on the operating system: Use propertyOS platform
and select all client operating systems - Hit
Next
- You will see a summary; hit
Submit
to save your asset rule - Hit
Done
to close dialog
Final result
As you saw it is very easy to create asset rules to automate tagging. In the future more features will be added to this section so stay tuned. Here are the key take aways:
- You can create automation rules for tagging assets
- You can define the criteria used to select systems
- You can define the action which should be done; in our example tag system
Further Reading
Here are some links: