In this scenario, you might want to identify the specific lab machines with a tag:īy using this tag to create a machine group you can then exclude these machines from your threat reports or from threat and vulnerability management. Lab Machines – There is really no reason to have a separate tenant just for testing when the endpoints that report into Microsoft Defender for Endpoint can exist anywhere without any ties to a specific Azure AD or domain.Below are some examples of why you would use tags in filtering include: One of the great benefits of tagging is using them in machine views to present different views of machine lists. This means that each time a machine is onboarded it goes straight into the appropriate group and only the correct people have visibility straight away. This is simple to do and the setting up of these machine groups is something you would typically do early on in the setup of the tenant, before you actually start doing any onboarding. Later in this blog we will talk about the different ways you can apply tags to managed devices, but in order to utilise these tags you first need to create a machine group in Microsoft Defender Security Center portal and then apply specific security groups containing the user accounts of the devices you wish you manage. The diagram below shows how you would break this down, and how you could further utilise this information to feed data into a SIEM where your SOC analysts can track threats across multiple areas of the infrastructure. Having a single instance means that threat hunting and automation has full visibility of all devices across the entire organisation which is critical when a threat is hitting multiple endpoints. For example, in a large organisation spanning multiple geos rather than each geo having their own instance of Microsoft Defender for Endpoint, you would have a single instance where access is controlled through the use of roles and machine groups. Really the purpose of this is to enable a level of control such that different users can log into the portal and see only the machines that they are responsible for. The primary use for tagging is to allow you to create machine groups that can then be used for applying RBAC permissions. We have split this into three parts to cover the basics but also some advanced scenarios for how to use tagging in your environment, so make sure to stay tuned to the blog for the full series. In this blog we wanted to cover not only the primary uses for the tagging functionality, but also to explain some tips and tricks around how to effectively use this within your organisation. This is a functionality that was introduced to allow you to apply a granular level of control over how you manage your devices. One important feature which often isn’t utilised correctly is the use of tags within Microsoft Defender for Endpoint.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |