- 29 Mar 2024
- 1 Minute to read
- PDF
Active Remediation Device Group Set Up in Microsoft Defender for Endpoint
- Updated on 29 Mar 2024
- 1 Minute to read
- PDF
The Red Canary Threat Hunting Team requires specific Groups be configured in Microsoft Defender for Endpoint (MDE) that specify all of the Endpoints that require Active Remediation access.
This configuration provides your Threat Hunting Team a marker or Tag on your endpoints so they know exactly which endpoints you want them to access in order to perform Active Remediation actions.
This article covers how to configure specific Groups, as required by the Red Canary Threat Hunting Team. You can do this in MDE or in Red Canary.
In MDE
Login to your MDE console.
Go to Settings, click Endpoints, and then click Device Groups.
Add a new Device Group that includes all of your Active Remediation Endpoints; or, rename any current Device Group(s) that contains your Active Remediation Endpoints.
Give the Device Group a name that starts with Remediate. For example, Remediate Accounting Machines.
This is the easiest way to classify/group all of the endpoints you want Red Canary to have access to for Active Remediation.
Note: If you want Red Canary to perform Active Remediation actions on all of your endpoints, you would create a Device Group for all of your endpoints using the AR naming convention.
In Red Canary, via endpoint tags
Login to your Red Canary, and go to the Endpoints page.
Select all of the Endpoints for Active Remediation, and create a Tag.
Select the endpoint.
Select the Reporting Tags dropdown.
Select Set tag and value.
Add AR_Group for the Tag name and Remediate for the Tag Value.
Once this is done, the Reporting Tags will be listed in Red Canary next to your AR endpoints, like this:
Note: Please keep in mind that Red Canary Endpoint Tags are static. The downside of this is that there is no way to automatically have these tags added to new endpoints that are onboarded into your environment from the Red Canary side. To have tags automatically added to new endpoints in Red Canary, you would have create a script using the Red Canary API.
Note: If your endpoints are already receiving the tag Remediate from your MDE Sensor Groups, then you do not need to also tag your endpoints with the AR_Group/Remediate tag on the Red Canary side. Ultimately, the endpoints need to be tagged with Remediate at least once.