Microsoft Defender for Identity

Copper Contributor

I have implemented this, but how do I know it's working?  The reports don't have a lot of information.  

Also, I have remedy the Global health issues per the links provided, but how do we know it's really remedied?  I close the alerts, but how do I know it's working the way it should?  

 

Thanks,

Tommy

9 Replies
few ways you can check, in the Microsoft 365 Defender portal

Check to see if there are any alerts being generated by the Defender for identity by filtering by "detection source" and "MDI"

Check the advanced Hunting section to view the Identityinfo, IdentityLogonEvents, IdentityqueryEvents and IdentityDirectoryEvents if you are receiving information that's another sign that its working

Check Settings > Identities > Sensors Tab > check health of your sensors
Check Settings > Identities > Health Issues > check for health alerts

If logging isnt present when you query the advanced hunting table, then I would say u have some issues
It also could be if config has been applied correctly, you have a very quiet environment (which is a good thing)

@hatommy118, you could use MDI Attack simulations to learn about detections and test some scenarios Attack simulations - Microsoft Defender for Identity | Microsoft Learn

After implementing this, our users are complaining opening network files such as adobe and excel is very slow. Have you experience this? Please advise.

@hatommy118 

 

Never experienced slow connectivity, do you have by chance a network engineer who can inspect the traffic ingress/egress?

Thanks for replying, turns out it was Carbon Black, the timing was impeccable!
Running the below commands doesn't trigger any alerts, while doing the simulations of an attack. Any ideas why this is?

net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net group "Schema Admins" /domain

@hatommy118, did you configure all event collections Configure Windows Event collection - Microsoft Defender for Identity | Microsoft Learn

 

Also, have you checked your MDI health under settings -> Identities-> Health issues? 

 

Thank you

Yes, i have doubled checked everything as well. The netsess.exe command generates an alert though.
All the simulations generates alert except this one, which is odd. No health issues either. Any thoughts on the exact setting you from the link you provided? Please advise and thanks in advance.