Forum Discussion
Defender for Identity Learning Period
logger2115 Hi, you're correct that clear documentation on verifying the learning period for Microsoft Defender for Identity is sparse, especially as the platform has evolved and certain UI elements have been removed. Defender for Identity has a built-in learning period where it establishes a baseline of normal behavior for entities like users, devices, and activities. After this learning period, it begins triggering alerts based on deviations from the baseline.
Typically lasts for 21 to 30 days, during which Defender for Identity establishes a baseline for normal behavior. During this period, it might not generate certain types of alerts that rely on this baseline.
- Good info but couple of questions:
1. How do we validate if learning period is completed?
2. Where can we extract post learning period baseline behavioral datasets?logger2115 After the 21-30 day window, check if baseline-related alerts are being triggered.
Monitor for behavior-based alerts like "Unusual Protocol Activity" or "Lateral Movement Path."Extracting Baseline Behavior Data:
Use Azure Sentinel or SIEM integration for detailed datasets.
Check Entity Profiles and alerts in the portal for insights into post-baseline behaviors.
Utilize PowerShell for pulling alerts and understanding deviations.
