Summary
This repository DefenderForServersMappingToMDETag provides a ARM template for writing tags as Azure subscription names for Azure Virtual Machines (VMs) that have Defender for Servers (MDE) installed. This ARM template periodically creates MDE tags using Logic Apps.
This template provides to write tag as Azure subscription name in Defender XDR for Azure VM installed Defender for Servers (MDE).
This template percreate MDE tag by Logic apps periodically
- Tag name
DefenderForServers - Tag name
<Your Azure Subscription Name>from query result of Azure Resource Graph
For Japanese README.md is here.
Let's install ARM template!
After deploy to Azure, you need to configure the following steps
- You can modify tuning "Reccurence" duration for the first steps.
- Initial parameter sets to
1month for reccurence. You can modify this parameter if you want.
- Initial parameter sets to
- You should configure multiple Subscription
Readerroles for system assigned identity- This logic app polls query to post Azure Resource Graph by system assigned managed identity
- If you have multiple subscriptions and deploys Defender for Servers to Azure VMs on each subscriptions, the logic app requires each subscription
readerrole for managed identity.
You can check logicapps manually, then two tags will be set to each devices for endpoint in Defende XDR
After the tuning, let's start logic apps manually. If the configuration is succeeded, two Tags DefenderForServers and <Azure Subscription Name> will be set to each devices.
- This logic apps first query to all device resources that is filtered in Defender XDR
- onboardingStatus is
Onboarded - healthStatus is
Active - NOT machineTags equal
DefenderForServers<-- Initially, Tag will be embedded, but secondary process ignored - NOT osPlatform eq
Windows10or osPlatform eqWindows11
- onboardingStatus is
- This logics apps pickup subscription id from Resource ID information from Defender XDR
Some devices are NOT embbeded subscriptionId in Defender XDR, so this templates pickup resourceId
