Working with Roles in Windows Defender ATP

As with everything else we want to apply a least privilege access.

If you need permission to do X you should only have access to do X and not several other things.

That’s why you should define the roles and reponsibilities in your organization to make sure you can apply a least privilege strategy.

Many products supports RBAC and should be used.

Working with Roles in Windows Defender ATP is very simple. You can enable it in Settings menu.

Settings > Roles > Enable Roles

enableRoles

The Global administrator role is added by default and have full permissions which can’t be changed.

Creating Roles

It’s not a bad idea to create a few roles, even if it’s just ju who are the complete security team. One reason is organizational changes and one important reason is that we don’t want people to work as global administrators.

Create Role

In Settings > Permissions > Roles > Add Role

createrole

Assign Azure AD group to the role

aadgroups

 

One example of roles setup could be:

  • Viewonly – For managers, able to view data
  • ATP-Users – Teams working with ATP, run scans, threat remediation etc
  • ATP-Administrators – ATP Admins, change settings and manage security roles

Depending on your organization you might need more defined roles list.

Here is the permission list and sub items is what will be granted more specific to the role.

  • View Data
    • View Data
  • Alerts investigation
    • Manage alerts
    • Initiate automated investigations
    • Run scans
    • Collect investigation packages
    • Manage machine tags
  • Active remediation actions
    • Take responsive actions
    • Approve or dismiss pending remediation actions
  • Manage security settings
    • Configure alert suppression settings
    • Manage allowed/blocked lists for automation
    • Manage folder exclusions for automated (applies globally)
    • Onboard and offboard machines
    • Manage email notifications

Working with Machine Groups

To be able to separate duties even further and configure different automatic remediation rules for different Machines we have the Machine Groups features.

Machine Groups is a way to group onaboarded Machines based on Name, Domain, Machine Tag and Operating System.

machinegroup

When using the “Show preview” at the bottom of the configuration page, you can see which onboarded machines will added to the Group.

You can select automation level

  • Semi – Require approval for any remediation
  • Semi – Require approval for non-temp folders remediation
  • Semi – Require approval for core folders remediation
  • Full – Remediate threats automatically

And you can assign a Azure AD userg group with roles to the machine group

mg_usergroup

The Groups, depending on how you defined group membership rules, will be populated automatically.

change_preview

more information about Machine Groups can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection

more information about RBAC in WD ATP can be found here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection

Happy Hunting!

/Sec-Labs R&D

 

 

 

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.