Skip to main content
sekureco42
  1. Posts/

Microsoft Defender for Endpoint Asset Rules

·424 words·2 mins· loading · loading · ·
English MDE Azure
rOger Eisenecher
Author ::..
rOger Eisenecher
> 12 years leading and building a SOC for MSSP • > 20 years working in security • > 40 years working with IT • 100% tech nerd.
Table of Contents

If using Microsoft Defender for Endpoint (MDE) often you need to tag devices according some rules. In the past this was a manual task or you automated it by using the API. Now Microsoft provides a way to tag systems automatically according rules.

Introduction

Microsoft Defender for Endpoint (MDE) is a nice EDR solution. This article assumes that you know already about MDE and that you have onboarded already systems. We will address here the new procedure how you can automate tagging for your devices without using API nor PowerShell scripts or similar.

Tags are used in MDE for different things. One popular way to use tags is to create based on them a device group where you apply specific mitigation rules, eg. by default full mitigation should be done, but on server only remediation on non core folders should be done.

Implementation

Before adding the feature Asset Rule Management you had to add tags for each device manually over the security console.

Now with the feature Asset Rule Management you can create an automation rule to accomplish this task. In our first example we will tag our client systems as Client.

  • Login to https://security.microsoft.com/
  • Navigate to SettingsMicrosoft 365 DefenderAsset rule management
  • Hit button Create a new rule
  • Enter Tag Client System for rule name and This rule tags all client systems as "Client" for description
  • Hit Next
  • Create rule condition. Due we want to tag all clients as Client we define the rule based on the operating system: Use property OS platform and select all client operating systems
  • Hit Next
  • You will see a summary; hit Submit to save your asset rule
  • Hit Done to close dialog

defender_asset-rule-management_overview-empty.png
Empty asset rule management page.

defender_asset-rule-management_rule-name.png
Asset rule definition: Name and Description.

defender_asset-rule-management_rule-condition.png
Asset rule definition: Define the condition for selecting devices.

defender_asset-rule-management_rule-action.png
Asset rule definition: Define action which should happen if a device matches the condition.

defender_asset-rule-management_rule-review.png
Asset rule definition: Review your definition before submitting.

defender_asset-rule-management_overview-first-rule.png
Asset rule management with our newly created rule Tag Client System.

Important: Rules are scheduled so it will take some time until the devices are tagged.

Final result

As you saw it is very easy to create asset rules to automate tagging. In the future more features will be added to this section so stay tuned. Here are the key take aways:

  • You can create automation rules for tagging assets
  • You can define the criteria used to select systems
  • You can define the action which should be done; in our example tag system

Further Reading

Here are some links: