We are excited to announce that starting today, Microsoft Defender for Identity alerts are natively integrated into Microsoft 365 security center (security.microsoft.com) with a dedicated Identity alert page format. This marks the first step in our journey to introduce the full Microsoft Defender for Identity experience into the unified Microsoft 365 Defender portal and is a continuation of the convergence motion to integrate protection across domains, which started with Defender for Office 365 and Defender for Endpoint.
The new Identity alert page unlocks value for Microsoft Defender for Identity customers such as better cross-domain signal enrichment and new automated identity response capabilities. It ensures that we can best help our customers to stay secure and help improve the efficiency of security operations. To learn more about Microsoft 365 Defender, check out this dedicated Tech Community blog.
Alerts and investigation
Alerts are a key experience when working with any security product. That’s why Defender for Identity is continuously investing in research and engineering efforts to provide new alerts to attack techniques, tools and vulnerabilities. Starting today, Microsoft Defender for Identity alerts are available to view within the Microsoft 365 Defender portal.
(Figure 1. Alert experience in Microsoft 365 security center)
One of the benefits of investigating alerts through Microsoft 365 security center is that Microsoft Defender for Identity alerts are further correlated with information obtained from each of the other products in the suite. These enhanced alerts are consistent with the other Microsoft 365 Defender alert formats originating from Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The new page effectively eliminates that need to navigate (‘tab-out’) to another product portal to investigate alerts associated with identity.
(Figure 2. Side panel for device entity that is enriched by both Microsoft Defender for Endpoint and Microsoft Defender for Identity)
The new alert page maintains a similar look and feel to Defender for Identity while adapting to the Microsoft 365 Defender user experience and style.
Not just a new home…
Alerts are now in one common alert queue with Defender for Office 365, Defender for Endpoint, Microsoft Cloud App Security and various compliance workload alerts. Another stand-out feature for alerts originating from Defender for Identity is that they can now trigger the Microsoft 365 Defender automated investigation and response (AIR) capabilities, including automatically remediating alerts and the mitigation of tools and process that can contribute to the suspicious activity.
(Figure 3. Automatic alert investigation based on Microsoft Defender for Identity alert)
How do I get started?
Defender for Identity alerts can easily be accessed from either the Incidents or Alerts queue. Open either of these areas, and then you can filter by Service Sources to see the specific alerts you’re looking for.
(Figure 4. Microsoft 365 security menu)
(Figure 5. Filter options for alert view)
As always, we’d love to know what you think.
Leave us feedback directly on the Microsoft 365 security center