Review and classify critical assets

  • Article

Microsoft Security Exposure Management helps keep your business critical assets secure and available. This article describes how to work with critical assets.

Security Exposure Management is currently in public preview.

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Prerequisites

  • Before you start, learn about critical asset management in Security Exposure Management.

  • Review required permissions for working with the critical assets.

  • When classifying critical assets, we support devices running version 10.3740.XXXX of the Defender for Endpoint sensor or later. We recommended running a more recent sensor version, as listed on the Defender for Endpoint What's New page.

    You can check which sensor version a device is running as follows:

    • On a specific device, browse to the MsSense.exe file in C:\Program Files\Windows Defender Advanced Threat Protection. Right-click the file, and select Properties. On the Details tab, check the file version.

    • For multiple devices, it's easier to run an advanced hunting Kusto query to check device sensor versions, as follows:

      DeviceInfo | project DeviceName, ClientVersion

Review critical assets

Review critical assets as follows.

  1. In the Microsoft Defender portal, select Settings > Microsoft XDR > Rules > Critical asset management.
  2. On the Critical asset management page, review predefined and custom critical asset classifications, including the number of assets in the classification, whether assets are on or off, and criticality levels.

Screenshot of the Critical asset management window.

Note

You can also see critical assets in Assets > Devices > Classify critical asset. In addition, you can view the Critical Asset Protection initiative in Exposure insights -> Initiatives.

Request a new predefined classification

Request a new predefined classification as follows.

  1. On the Critical asset management page, select Suggest new classification.

  2. Fill in what classification you'd like to see and then select Submit request.

Create a custom classification

Create a custom classification as follows.

  1. On the Critical asset management page, select Create a new classification.

  2. On the Create a critical asset classification page, complete the following information to set your classification criteria:

    • Name - A new classification name.
    • Description - A new classification description.
    • Query builder
      • Use the query builder to define a new classification, for instance, "mark all devices with a certain naming convention as critical."
      • Add one or more boolean filters that are defined per device, identity, or cloud resource.

Screenshot of the page where you create critical asset classifications.

  1. After setting the criteria, select Next.
  2. On the following pages, preview the affected assets, and assign the criticality level.

Set critical asset levels

Set levels as follows.

  1. On the Critical asset management page, select a critical asset classification.

  2. In the Overview tab, select the desired criticality level.

  3. Select Save.

Screenshot of the Critical asset management criticality editing feature.

Note

You can set critical levels manually in the device inventory. We recommend creating criticality rules that allow broad application of critical levels across assets.

Edit custom classifications

Edit custom classifications as follows.

  1. On the Critical asset management page, browse to the classification you want to modify. Only custom classifications can be edited or deleted.
  2. Select Edit, Delete, or Turn off.

Add assets to classifications

  1. On the Critical asset management page, select the relevant asset classification.

  2. To see all assets in the classification, select the Overview or Assets tab.

  3. Review the asset list.

  4. To approve assets that fit the classification but are out of threshold, browse to Assets to review.

  5. Review the listed assets. Select the plus button next to the assets you want to add.

Note

Assets to review only displays when there are assets to review.

Screenshot of the Assets to review screen.

You can change the criticality levels and turn off all assets. You can also edit and delete custom critical assets.

Sort by criticality

  1. Select Devices in the Device Inventory.
  2. Sort by Criticality level to view business critical assets with a "very high" level of criticality.

screenshot of the Device inventory window

Prioritize recommendations for critical assets

To help prioritize security recommendations, and remediation steps to focus on critical assets, the sum of exposed critical assets for a recommendation can be viewed from the Security recommendations page in the Microsoft Defender portal.

To see the sum of exposed critical assets go to the Security recommendations page:

Screenshot of the critical assets column on the security recommendations page.

Next steps

Learn about simulating attack paths.