Process: How to manually tag devices

How to manually tag devices

365 Defender can now automatically tag devices. Rules have been put in place however if devices need to be tagged manually please follow this article.

For us to keep our asset’s purpose documented and for NCC Group (MSSP) to know which devices they can isolate with or without approval we need to ensure devices that are found on our network by Defender are all tagged.

Available Tags

ncc_isolate – NCC SOC can isolate as and when deemed necessary
ncc_donotisolate – NCC SOC cannot isolate
ncc_verifyisolation – NCC SOC must seek approval to isolate
ncc_not_applicable – NCC SOC will not do anything with this device. This is used for devices that are not on our domain, however have been “seen” by 365 Defender.

Process:

1. Go to 365 Defender (security.microsoft.com)

2. Go to Assets -> Devices on the left panel.

3. Select Filter

4. Select (Untagged) in the Tags Filter then Apply. You can choose other additional Filters to batch tag (Example Selecting all Windows Server OS platforms)

5. Check the checkbox on the left of the device name

6. Click on Manage Tags at the top.

7. Input the appropriate tag

a. ncc_isolate – Used for ALL workstations

b. ncc_verifyisolate – Used for ALL Servers

c. ncc_not_applicable – Used for ALL Devices not on the mccc.mariecurie.local domain

8.Save and close

Further Reading:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-tags?view=o365-worldwide