top of page
Writer's pictureWill Francillette

MDE: Why and how to use Device Groups?

MDE logo

In today's blog, we will review Device Groups a Defender for Endpoints capability.

Those groups are used across the Defender XDR portal for reporting, or permissions. I often see them created based on the OS platform which offer insights but rarely reflect the organisation structure.

In this blog, we will look at where to use device groups, what are their limitations/constraints and how to strategies them.


Table of content



Things to know about device groups

  • Device groups are available with any MDE licences (MDE P1 and P2)

  • A device group is based on a rule

  • A device group rule can use the parameters: name, domain, tag, and OS

  • A device group rule can use the operators: starts with, ends with, equals, and contains and rules can be combined using And or Or logical operators.

  • Those rules are assess on a regular basis: there are no clear public information on how often those rules are reassessed

doc image
  • A device can only belong to one group.

  • A device group rule is assigned a rank (1 is the highest)

  • A device will be added to the group that first match the rule criteria.

  • Devices that don't match any rules will be added to the "Ungrouped devices" group.

  • Device groups can be created by a Global Administrator, a Security Administrator or a user with: "Manage portal system settings" RBAC permission.

  • A device group is by default visible to all users with the relevant view permission.

  • A device group visibility can be restricted by assigning it an Entra ID security group.


Where to use device groups?

 

We will now take a look at where can we use Device Groups in the Defender XDR portal:


Settings

MDE: settings
  • RBAC

    The primarily use case is to limit access/visibility to a group of devices, their related alerts and data to specific Microsoft Entra user groups.

MDE RBAC
  • Auto remediation

    When we create a device group we must choose an Auto-Remediation level

MDE Remediation level
  • Web content filtering

    You can scope a web content filtering policy to one or more device groups

MDE Web content filtering
  • Email notification

    You can scope an email notification policy related to one or more device groups

MDXDR Asset Rule Management

Assets

Assets

The device inventory, available in the Assets section of the Defender XDR portal, allows you to see at a glance information such as device name, domain, risk level, OS platform, sensor health state and more details.


You can use the filter to refine this list and visualize one or more specific device group members at a time

Device Inventory

MDVM

MDVM main
  • Recommendations

    You can use Defender for Vulnerability Management recommendation section to visualise recommendations, the number of weaknesses found and other threat insights.


This list can be filtered to focus on one or more device groups

MDVM recommendations filter
  • Baseline assessments

    A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks. When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.

This assessments can be filtered to focus on specific device groups

MDVM baseline assessment filter

Reports


Reports main

Defender XDR provides an extensive list of built-in reports across all solutions composing the XDR. Some of those reports can be filtered based on device groups:


  • Device health

    The Device Health report provides information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.

Reports Device health
  • Vulnerable devices

    The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.

Reports Vulnerable devices
  • Web protection

    When you navigate to details in the Web protection report, it can be filtered to focus on selected groups

    Reports Web protection
  • Attack surface reduction rules

    Reports ASR rules

Advanced hunting

Advanced Hunting main

We can use the MachineGroup parameter in the DeviceInfo table to query information on a specific device group:

Advanced Hunting query

How to build device groups?


The default approach with device group queries is to use the OS parameter. It's easy and available out of the box. It can be useful at times but may be limited in medium or large fleet of devices.

You could also use the Device Name as a way to group devices together. This method implies having a consistent and strict naming convention applied across the device fleet.

A more flexible approach may be to take advantage of the Tag parameter. Having a tagging strategy would open many more possibilities to split devices based on for example:


Tags can be assigned manually. This is ideal for a one-off tag. Simply select/filter the device inventory and apply the tag on relevant devices.

You could also use an Asset management rule and tag devices based on logical rules.

The available parameters are:

  • Device name

  • Domain

  • OS platform

  • Internet facing

  • Onboarding status

  • Device tags


The last and final solution (and my preferred 🤩) is using the available API and code/script the tagging at scale.

Defender API Tag

There are a few blogs available online from Microsoft Tech Community but also thinking documenting a process to push your Azure tags to Defender XDR and automate your cloud devices metadata enrichment.


Until then I have gathered a few useful links to get started with tagging at scale

About

Link

Steve Newby on using the API to automate device tag deployment

Kijo Girardi has also released a nice tool to tag devices at scale using PowerShell

Jeffrey Appeal wrote a chapter on using Logic Apps

Tomer Brand on using Flow/Power Automate to tag devices


Thank you for reading!



570 views0 comments

Comments


bottom of page