Review and classify critical assets
Microsoft Security Exposure Management helps keep your business critical assets secure and available. This article describes how to work with critical assets.
Prerequisites
Before you start, learn about critical asset management in Security Exposure Management.
Review required permissions for working with the critical assets.
When classifying critical assets, we support devices running version 10.3740.XXXX of the Defender for Endpoint sensor or later. We recommended running a more recent sensor version, as listed on the Defender for Endpoint What's New page.
You can check which sensor version a device is running as follows:
On a specific device, browse to the MsSense.exe file in C:\Program Files\Windows Defender Advanced Threat Protection. Right-click the file, and select Properties. On the Details tab, check the file version.
For multiple devices, it's easier to run an advanced hunting Kusto query to check device sensor versions, as follows:
DeviceInfo | project DeviceName, ClientVersion
Review critical assets
Review critical assets as follows.
- In the Microsoft Defender portal, select Settings > Microsoft XDR > Rules > Critical asset management.
- On the Critical asset management page, review predefined and custom critical asset classifications, including the number of assets in the classification, whether assets are on or off, and criticality levels.
Note
You can also see critical assets in Assets > Devices > Classify critical asset. In addition, you can view the Critical Asset Protection initiative in Exposure insights -> Initiatives.
Request a new predefined classification
Request a new predefined classification as follows.
On the Critical asset management page, select Suggest new classification.
Fill in what classification you'd like to see and then select Submit request.
Create a custom classification
Create a custom classification as follows.
On the Critical asset management page, select Create a new classification.
On the Create a critical asset classification page, complete the following information to set your classification criteria:
- Name - A new classification name.
- Description - A new classification description.
- Query builder
- Use the query builder to define a new classification, for instance, "mark all devices with a certain naming convention as critical."
- Add one or more boolean filters that are defined per device, identity, or cloud resource.
- After setting the criteria, select Next.
- On the following pages, preview the affected assets, and assign the criticality level.
Set critical asset levels
Set levels as follows.
On the Critical asset management page, select a critical asset classification.
In the Overview tab, select the desired criticality level.
Select Save.
Note
You can set critical levels manually in the device inventory. We recommend creating criticality rules that allow broad application of critical levels across assets.
Edit custom classifications
Edit custom classifications as follows.
- On the Critical asset management page, browse to the classification you want to modify. Only custom classifications can be edited or deleted.
- Select Edit, Delete, or Turn off.
Add assets to classifications
On the Critical asset management page, select the relevant asset classification.
To see all assets in the classification, select the Overview or Assets tab.
Review the asset list.
To approve assets that fit the classification but are out of threshold, browse to Assets to review.
Review the listed assets. Select the plus button next to the assets you want to add.
Note
Assets to review only displays when there are assets to review.
You can change the criticality levels and turn off all assets. You can also edit and delete custom critical assets.
Sort by criticality
- Select Devices in the Device Inventory.
- Sort by Criticality level to view business critical assets with a "very high" level of criticality.
Prioritize recommendations for critical assets
To help prioritize security recommendations, and remediation steps to focus on critical assets, the sum of exposed critical assets for a recommendation can be viewed from the Security recommendations page in the Microsoft Defender portal.
To see the sum of exposed critical assets go to the Security recommendations page:
Next steps
Learn about simulating attack paths.