%3CLINGO-SUB%20id%3D%22lingo-sub-1521762%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20high%20value%20asset%20tagging%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521762%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wonder%20if%20there%20are%20plans%20to%20implement%20some%20automatic%20tagging%20using%20AI.%20Certainly%20MD%20ATP%20can%20determine%20what%20is%20a%20DC%20and%20suggest%20to%20apply%20high%20value%20tag.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1526717%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20high%20value%20asset%20tagging%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1526717%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20stuff%20but%20we%20should%20at%20bare%20minimum%20be%20able%20to%20modify%20this%20value%20based%20on%20pre-existing%20tags.%3CBR%20%2F%3EI.E.%20%22Any%20system%20with%20tag%20%22VIP%22%20set%20value%20to%20%22HIGH%22%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528882%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20high%20value%20asset%20tagging%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528882%22%20slang%3D%22en-US%22%3E%3CP%3EAgree%2C%20an%20auto-tagging%20feature%20would%20be%20great!%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1549154%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20high%20value%20asset%20tagging%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1549154%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20others%20have%20mentioned%2C%20it%20would%20be%20good%20to%20be%20able%20to%20automate%20the%20tagging%20process.%20Some%20ideas...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EAbility%20to%20mark%20a%20user%20as%20high%20value%20and%20automatically%20tag%20their%20primary%20device%3C%2FLI%3E%3CLI%3EAbililty%20to%20use%20an%20AAD%2FAD%20group%20of%20users%20%2F%20devices%20and%20automatically%20tag%3C%2FLI%3E%3CLI%3EUse%20user%20properties%20(e.g.%20Title)%20to%20tag%20primary%20device%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1565159%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20high%20value%20asset%20tagging%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1565159%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F741765%22%20target%3D%22_blank%22%3E%40mongie0%3C%2FA%3E%26nbsp%3B%20You%20could%20create%20a%20script%20that%20tags%20based%20on%20information%20from%20AAD%2FAD%20and%20others.%26nbsp%3B%20To%20apply%20a%20tag%20automatically%20you%20can%20use%20either%20InTune%20or%20Group%20Policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ERegistry%20key%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%20Advanced%20Threat%20Protection%5CDeviceTagging%5C%3C%2FLI%3E%3CLI%3ERegistry%20key%20value%20(REG_SZ)%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EGroup%3C%2FLI%3E%3CLI%3ERegistry%20key%20data%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EName%20of%20the%20tag%20you%20want%20to%20set%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmachine-tags%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmachine-tags%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586615%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20high%20value%20asset%20tagging%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586615%22%20slang%3D%22en-US%22%3E%3CP%3EAuto-tagging%20would%20be%20great%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521459%22%20slang%3D%22en-US%22%3EAnnouncing%20high%20value%20asset%20tagging%20in%20Microsoft%20Defender%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521459%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20attackers%20enter%20your%20network%2C%20they%20don%E2%80%99t%20treat%20all%20your%20assets%20equally.%20Some%20are%20more%20valuable%20than%20others.%20Assets%20such%20as%20domain%20controllers%2C%20internet%20facing%20machines%2C%20executive%E2%80%99s%20devices%2C%20and%20machines%20that%20host%20internal%20and%20external%20production%20services%20are%20attractive%20to%20bad%20actors%20%E2%80%93%20offering%20them%20access%20to%20sensitive%20corporate%20data%2C%20or%20ways%20to%20move%20further%20laterally%20across%20the%20organization.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20assets%20require%20higher%20levels%20of%20attention%20from%20the%20security%20team%20and%20should%20be%20prioritized%20when%20it%20comes%20to%20reducing%20overall%20risk%20for%20an%20organization.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%2C%20we%20are%20excited%20to%20introduce%20a%20new%20setting%20in%20Microsoft%20Defender%20ATP%20that%20allows%20customers%20to%20define%20a%20machine%E2%80%99s%20value%20to%20the%20organization.%20The%20first%20use%20case%20scenario%20for%20this%20is%20in%20threat%20and%20vulnerability%20management.%20This%20feature%2C%20now%20in%20public%20preview%2C%20will%20help%20customers%20differentiate%20between%20asset%20priorities%2C%20which%20results%20in%20a%20more%20accurate%20assessment%20of%20their%20overall%20risk.%20It%E2%80%99s%20the%20first%20time%20we%E2%80%99re%20providing%20a%20tool%20to%20our%20customers%20that%20enables%20them%20to%20help%20us%20in%20providing%20a%20more%20accurate%20assessment%20of%20their%20risk.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurity%20teams%20will%20benefit%20from%20having%20the%20additional%20machine%20value%20context%2C%20set%20by%20the%20admin%2C%20as%20they%20conduct%20investigations%20%E2%80%93%20helping%20to%20further%20bridge%20the%20gap%20between%20security%20and%20IT%20teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20high%20value%20asset%20prioritizations%2C%20organizations%20can%20define%20a%20machine%E2%80%99s%20value%20with%20the%20following%20options%3A%3C%2FP%3ELow%20Value%20Normal%20Value%20(Default)%20High%20Value%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20threat%20and%20vulnerability%20management%2C%20the%20machine%20value%20is%20used%20to%20incorporate%20the%20risk%20appetite%20of%20an%20individual%20asset%20into%20the%20exposure%20score%20calculation.%20Meaning%20that%20machines%20marked%20as%20%E2%80%9Chigh%20value%E2%80%9D%20will%20receive%20more%20weight%20in%20the%20exposure%20score%20calculation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESetting%20a%20machine%20value%20is%20simple%3A%3C%2FP%3ENavigate%20into%20any%20machine%20page%20Select%20Machine%20Value%20and%20define%20a%20value%20Review%20the%20value%20in%20the%20machine%20tag%20area%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20newest%20partner%2C%20XM%20Cyber%2C%20a%20breach%20and%20attack%20simulation%20and%20security%20posture%20management%20solution%20provider%2C%20-ERR%3AREF-NOT-FOUND-integrates%20with%20Microsoft%20Defender%20ATP%20and%20threat%20and%20vulnerability%20management%20to%20help%20customers%20see%20how%20an%20attacker%20moves%20laterally%20and%20compromises%20critical%20assets.%20The%20platform%20leverages%20the%20new%20machine%20tagging%20capability%20to%20help%20customers%20tag%20their%20most%20critical%20assets%20and%20adds%20rich%20contextual%20information%20to%20enable%20customers%20to%20fully%20assess%20the%20risk%20of%20an%20attack%20and%20understand%20the%20steps%20needed%20for%20remediation.%20We%E2%80%99re%20working%20with%20additional%20partners%20to%20incorporate%20machine%20tagging%20and%20can%E2%80%99t%20wait%20to%20share%20these%20collaborations%20with%20you%20in%20the%20near%20future.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGetting%20started%3C%2FP%3E%3CP%3EThis%20feature%20is%20in%20public%20preview%20today%20and%20those%20customers%20that%20have%20preview%20features%20turned%20on%20can%20start%20trying%20it%20out%20immediately.%20If%20you%20haven%E2%80%99t%20yet%20opted%20in%2C%20we%20encourage%20you%20to%20-ERR%3AREF-NOT-FOUND-turn%20on%20preview%20features%20in%20the%20Microsoft%20Defender%20Security%20Center.%20We%20welcome%20your%20feedback!%20If%20you%20have%20any%20comments%20or%20questions%2C%20let%20us%20know!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1521459%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3EWe%20are%20excited%20to%20introduce%20a%20new%20setting%20in%20Microsoft%20Defender%20ATP%20that%20allows%20customers%20to%20define%20a%20machine%E2%80%99s%20value%20to%20the%20organization.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1521459%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHVA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20%26amp%3B%20Vulnerability%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

When attackers enter your network, they don’t treat all your assets equally. Some are more valuable than others. Assets such as domain controllers, internet facing machines, executive’s devices, and machines that host internal and external production services are attractive to bad actors – offering them access to sensitive corporate data, or ways to move further laterally across the organization.

 

These assets require higher levels of attention from the security team and should be prioritized when it comes to reducing overall risk for an organization.

 

Today, we are excited to introduce a new setting in Microsoft Defender ATP that allows customers to define a machine’s value to the organization. The first use case scenario for this is in threat and vulnerability management. This feature, now in public preview, will help customers differentiate between asset priorities, which results in a more accurate assessment of their overall risk. It’s the first time we’re providing a tool to our customers that enables them to help us in providing a more accurate assessment of their risk.

 

Security teams will benefit from having the additional machine value context, set by the admin, as they conduct investigations – helping to further bridge the gap between security and IT teams.

 

High value asset tag of device from incidents pageHigh value asset tag of device from incidents page

 

With the high value asset prioritizations, organizations can define a machine’s value with the following options:

  • Low Value
  • Normal Value (Default)
  • High Value

 

In threat and vulnerability management, the machine value is used to incorporate the risk appetite of an individual asset into the exposure score calculation. Meaning that machines marked as “high value” will receive more weight in the exposure score calculation.

 

Setting a machine value is simple:

  1. Navigate into any machine page
  2. Select Machine Value and define a value
  3. Review the value in the machine tag area

Options to set the device value.Options to set the device value.

 

Our newest partner, XM Cyber, a breach and attack simulation and security posture management solution provider, integrates with Microsoft Defender ATP and threat and vulnerability management to help customers see how an attacker moves laterally and compromises critical assets. The platform leverages the new machine tagging capability to help customers tag their most critical assets and adds rich contextual information to enable customers to fully assess the risk of an attack and understand the steps needed for remediation. We’re working with additional partners to incorporate machine tagging and can’t wait to share these collaborations with you in the near future.

 

Getting started

This feature is in public preview today and those customers that have preview features turned on can start trying it out immediately. If you haven’t yet opted in, we encourage you to turn on preview features in the Microsoft Defender Security Center. We welcome your feedback! If you have any comments or questions, let us know!

6 Comments
Super Contributor

I wonder if there are plans to implement some automatic tagging using AI. Certainly MD ATP can determine what is a DC and suggest to apply high value tag.

Occasional Visitor

Good stuff but we should at bare minimum be able to modify this value based on pre-existing tags.
I.E. "Any system with tag "VIP" set value to "HIGH""

Occasional Visitor

Agree, an auto-tagging feature would be great!   

Visitor

As others have mentioned, it would be good to be able to automate the tagging process. Some ideas...

 

  • Ability to mark a user as high value and automatically tag their primary device
  • Abililty to use an AAD/AD group of users / devices and automatically tag
  • Use user properties (e.g. Title) to tag primary device
Senior Member

@mongie0  You could create a script that tags based on information from AAD/AD and others.  To apply a tag automatically you can use either InTune or Group Policy.

 

  • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
  • Registry key value (REG_SZ): Group
  • Registry key data: Name of the tag you want to set

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/machine-t...

Occasional Contributor

Auto-tagging would be great