Forum Discussion
Defender for Identity Learning Period
There is no documentation around Learning Period. Most of articles I've skimmed through mentions toggle this and that, but there is no clear documentation on how we can verify if learning period is over and done.
Is there PowerShell command to verify this via defender for PowerShell? Is there some setting to check if learning period is over and done?
Like seriously there used to be toggle button and now there no toggle except for "Recommended Test Mode"
5 Replies
logger2115 Hi, you're correct that clear documentation on verifying the learning period for Microsoft Defender for Identity is sparse, especially as the platform has evolved and certain UI elements have been removed. Defender for Identity has a built-in learning period where it establishes a baseline of normal behavior for entities like users, devices, and activities. After this learning period, it begins triggering alerts based on deviations from the baseline.
Typically lasts for 21 to 30 days, during which Defender for Identity establishes a baseline for normal behavior. During this period, it might not generate certain types of alerts that rely on this baseline.- Good info but couple of questions:
1. How do we validate if learning period is completed?
2. Where can we extract post learning period baseline behavioral datasets?logger2115 After the 21-30 day window, check if baseline-related alerts are being triggered.
Monitor for behavior-based alerts like "Unusual Protocol Activity" or "Lateral Movement Path."Extracting Baseline Behavior Data:
Use Azure Sentinel or SIEM integration for detailed datasets.
Check Entity Profiles and alerts in the portal for insights into post-baseline behaviors.
Utilize PowerShell for pulling alerts and understanding deviations.
- Also, what's the Microsoft's recommended Alert Threshold for alerts?
logger2115 I recommend that you start by using the default settings, which Microsoft has optimized for most environments. If you notice too many false positives or that the system is not generating enough alerts, you can change the thresholds, but do so carefully. Monitor your alerts regularly: over time you will understand how the thresholds work in your context. When you decide to make changes, try to maintain a balance between safety and the number of alerts you receive.
