In today's blog, we will review Device Groups a Defender for Endpoints capability.
Those groups are used across the Defender XDR portal for reporting, or permissions. I often see them created based on the OS platform which offer insights but rarely reflect the organisation structure.
In this blog, we will look at where to use device groups, what are their limitations/constraints and how to strategies them.
Table of content
Things to know about device groups
Device groups are available with any MDE licences (MDE P1 and P2)
A device group is based on a rule
A device group rule can use the parameters: name, domain, tag, and OS
A device group rule can use the operators: starts with, ends with, equals, and contains and rules can be combined using And or Or logical operators.
Those rules are assess on a regular basis: there are no clear public information on how often those rules are reassessed
A device can only belong to one group.
A device group rule is assigned a rank (1 is the highest)
A device will be added to the group that first match the rule criteria.
Devices that don't match any rules will be added to the "Ungrouped devices" group.
Device groups can be created by a Global Administrator, a Security Administrator or a user with: "Manage portal system settings" RBAC permission.
A device group is by default visible to all users with the relevant view permission.
A device group visibility can be restricted by assigning it an Entra ID security group.
Where to use device groups?
We will now take a look at where can we use Device Groups in the Defender XDR portal:
Settings
RBAC
The primarily use case is to limit access/visibility to a group of devices, their related alerts and data to specific Microsoft Entra user groups.
Auto remediation
When we create a device group we must choose an Auto-Remediation level
Web content filtering
You can scope a web content filtering policy to one or more device groups
Email notification
You can scope an email notification policy related to one or more device groups
Assets
The device inventory, available in the Assets section of the Defender XDR portal, allows you to see at a glance information such as device name, domain, risk level, OS platform, sensor health state and more details.
You can use the filter to refine this list and visualize one or more specific device group members at a time
MDVM
Recommendations
You can use Defender for Vulnerability Management recommendation section to visualise recommendations, the number of weaknesses found and other threat insights.
This list can be filtered to focus on one or more device groups
Baseline assessments
A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks. When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.
This assessments can be filtered to focus on specific device groups
Reports
Defender XDR provides an extensive list of built-in reports across all solutions composing the XDR. Some of those reports can be filtered based on device groups:
Device health
The Device Health report provides information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.
Vulnerable devices
The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
Web protection
When you navigate to details in the Web protection report, it can be filtered to focus on selected groups
Attack surface reduction rules
Advanced hunting
We can use the MachineGroup parameter in the DeviceInfo table to query information on a specific device group:
How to build device groups?
The default approach with device group queries is to use the OS parameter. It's easy and available out of the box. It can be useful at times but may be limited in medium or large fleet of devices.
You could also use the Device Name as a way to group devices together. This method implies having a consistent and strict naming convention applied across the device fleet.
A more flexible approach may be to take advantage of the Tag parameter. Having a tagging strategy would open many more possibilities to split devices based on for example:
Department
Support vendor
Criticality (PAW, Dev, Standards, Tiers)
Deployment (Insiders, Pilot, Ring 1, Ring 2, Ring 3)
Incident Response watchlist
Decommissioned/offboarded devices (Handling Inactive Devices in Microsoft Defender for Endpoint | Practical365)
Tags can be assigned manually. This is ideal for a one-off tag. Simply select/filter the device inventory and apply the tag on relevant devices.
You could also use an Asset management rule and tag devices based on logical rules.
The available parameters are:
Device name
Domain
OS platform
Internet facing
Onboarding status
Device tags
The last and final solution (and my preferred 🤩) is using the available API and code/script the tagging at scale.
There are a few blogs available online from Microsoft Tech Community but also thinking documenting a process to push your Azure tags to Defender XDR and automate your cloud devices metadata enrichment.
Until then I have gathered a few useful links to get started with tagging at scale
About | Link |
Steve Newby on using the API to automate device tag deployment | |
Kijo Girardi has also released a nice tool to tag devices at scale using PowerShell | |
Jeffrey Appeal wrote a chapter on using Logic Apps | |
Tomer Brand on using Flow/Power Automate to tag devices |
Thank you for reading!
Comments