Defender Confirm User Compromised

RodgerRodger 

I feel like the below answer is a bit of a cheat, but to be honest there isn't a great deal of easy-to-find details on exactly what happens in the background when you click on 'Confirm user as compromised', so I ran a few prompts in Copilot and got a pretty good response after a while:

When you click on ‘Confirm User Compromised’ in Microsoft Defender XDR, several actions and processes are set in motion to address the potential compromise of a user account. Let’s break down what happens in detail:

1. Context and Purpose:

   • The action is triggered when an alert or incident suggests that a user might be compromised or exhibits suspicious behavior.
   • The primary purpose is to secure the user account, investigate the incident, and take necessary remediation steps.

2. User Entity Page:

   • The user entity page in Microsoft Defender XDR provides crucial information about each identity.
   • If an alert or incident points to a potentially compromised user, you’ll want to investigate the user profile.

3. Accessing the User Page:

   • You can find identity information in various views:
     • Identities page
     • Alerts queue
     • Individual alert/incident
     • Device page
     • Activity log
     • Advanced hunting queries
     • Action center
   • Clicking on the user’s identity link takes you to the User page with detailed information.

4. User Page Components:

   • Overview:
     • Displays identity details, including risk level, signed-in devices, first and last seen timestamps, user accounts, group memberships, and contact information.
     • Additional details may appear based on enabled integration features.
   • Visual View of Incidents and Alerts:
     • Groups all incidents and alerts associated with the user, categorized by severity.
   • Investigation Priority:
     • Shows the calculated investigation priority score breakdown.
     • Includes a two-week trend for the identity’s score percentile within the tenant.
   • Active Directory Account Control:
     • Flags important security settings related to the user account.
     • Examples: Bypass password via Enter key, password expiration status, etc.
   • Scored Activities:
     • Lists activities and alerts contributing to the overall investigation priority score over the last seven days.
   • Organization Tree:
     • Displays the hierarchy for the identity as reported by Microsoft Defender for Identity.
   • Account Tags:
     • Pulled from Active Directory, these tags provide additional details about the entity.

5. Confirm User Compromised Action:

   • When you click ‘Confirm User Compromised’:
     • The user account is marked as high risk.
     • The user’s risk level is elevated in Identity Protection.
     • A risky user policy is triggered.
     • The user is prompted to securely change their password.
     • The account remains accessible, but the risk is acknowledged.

6. Additional Remediations:

   • While this action doesn’t directly enforce specific remediations, it sets the stage for further steps:
     • Password Reset: Prompt the user to change their password.
     • Force 2FA (Two-Factor Authentication): Enhance security. (you really should already have this enforced via CAP's for all users anyway)
     • Log Off All Sessions: Terminate active sessions.
     • Other actions based on organizational policies.