Filter/Exclude VMSS instances from Defender
We run Microsoft365 Defender for a variety of things, including endpoint and VM scanning. One annoyance we experience is that we can’t find an easy way to filter out (or suppress entirely) Defender’s scanning (or the results of that scanning) of instances in Virtual Machine Scale Sets that run our self-hosted Azure DevOps agents. My question is– have others encountered this and do they have ideas for how to make this data more manageable?
To explain a little more – we generally like that Defender scans our VM instances in Azure using “agentless” scanning, but there is one situation that leads to a lot of noise. We run a VMSS that hosts our Azure DevOps agents following this setup. These agents are run on “ephemeral” VMs that scale in and out depending on how many jobs are running. Any given VM won’t exist for more than about 12 hours max and the images on which these VMs are based are rebuilt once a week. Accordingly in a given week, we might have several hundred (or more) VM instances that are created and torn down.
The problem is that each of these now gets an entry in Defender which leads to a lot of noise in the analyses. In general, we don’t mind being able to see reports on these VMs but they aren’t really a priority due to the ephemeral nature of both the instances and the images on which they are built.
We have looked into using tagging to filter them out but apparently you can’t apply tags to VMSS instances, and tags that are applied to the VMSS itself don’t get picked up by Defender.
Does anyone have any ideas for how to sanitize/normalize our Defender dashboards/reports against this type of workflow? The ideal would be an easy way to hide this information unless we explicitly want to see it, but I would also except a reliable way to not have it reported at all for this VMSS.
We run Microsoft365 Defender for a variety of things, including endpoint and VM scanning. One annoyance we experience is that we can’t find an easy way to filter out (or suppress entirely) Defender’s scanning (or the results of that scanning) of instances in Virtual Machine Scale Sets that run our self-hosted Azure DevOps agents. My question is– have others encountered this and do they have ideas for how to make this data more manageable? To explain a little more – we generally like that Defender scans our VM instances in Azure using “agentless” scanning, but there is one situation that leads to a lot of noise. We run a VMSS that hosts our Azure DevOps agents following this setup. These agents are run on “ephemeral” VMs that scale in and out depending on how many jobs are running. Any given VM won’t exist for more than about 12 hours max and the images on which these VMs are based are rebuilt once a week. Accordingly in a given week, we might have several hundred (or more) VM instances that are created and torn down.The problem is that each of these now gets an entry in Defender which leads to a lot of noise in the analyses. In general, we don’t mind being able to see reports on these VMs but they aren’t really a priority due to the ephemeral nature of both the instances and the images on which they are built.We have looked into using tagging to filter them out but apparently you can’t apply tags to VMSS instances, and tags that are applied to the VMSS itself don’t get picked up by Defender. Does anyone have any ideas for how to sanitize/normalize our Defender dashboards/reports against this type of workflow? The ideal would be an easy way to hide this information unless we explicitly want to see it, but I would also except a reliable way to not have it reported at all for this VMSS. Read More