In this article, you’ll learn how to correctly configure Microsoft Defender for Identity sensor settings to start seeing data. You’ll need to do additional configuration and integration to take advantage of Defender for Identity’s full capabilities.


Configure sensor settings

After the Defender for Identity sensor is installed, do the following to configure Defender for Identity sensor settings.

  1. Click Launch to open your browser and sign in to the Defender for Identity portal.
  2. In the Defender for Identity portal, go to Configuration and, under System, select Sensors.

    Sensor page.

  3. Click on the sensor you want to configure and enter the following information:

    Configure sensor settings.

    • Description: Enter a description for the Defender for Identity sensor (optional).
    • Domain Controllers (FQDN) (required for the Defender for Identity standalone sensor, this can’t be changed for the Defender for Identity sensor): Enter the complete FQDN of your domain controller and click the plus sign to add it to the list. For example, dc01.contoso.com

    The following information applies to the servers you enter in the Domain Controllers list:

    • All domain controllers whose traffic is being monitored via port mirroring by the Defender for Identity standalone sensor must be listed in the Domain Controllers list. If a domain controller isn’t listed in the Domain Controllers list, detection of suspicious activities might not function as expected.
    • At least one domain controller in the list should be a global catalog. This enables Defender for Identity to resolve computer and user objects in other domains in the forest.
    • Capture Network adapters (required):
    • For Defender for Identity sensors, all network adapters that are used for communication with other computers in your organization.
    • For Defender for Identity standalone sensor on a dedicated server, select the network adapters that are configured as the destination mirror port. These network adapters receive the mirrored domain controller traffic.
  4. Click Save.

Validate installations

To validate that the Defender for Identity sensor has been successfully deployed, check the following:

  1. Check that the service named Azure Advanced Threat Protection sensor is running. After you save the Defender for Identity sensor settings, it might take a few seconds for the service to start.
  2. If the service doesn’t start, review the “Microsoft.Tri.sensor-Errors.log” file located in the following default folder, “%programfiles%\Azure Advanced Threat Protection sensor\Version X\Logs”.


    The version of Defender for Identity updates frequently, to check the latest version, in the Defender for Identity portal, go to Configuration and then About.

  3. Go to your Defender for Identity instance URL. In the Defender for Identity portal, search for something in the search bar, such as a user or group on your domain.
  4. Verify Defender for Identity connectivity on any domain device using the following steps:
    1. Open a command prompt
    2. Type nslookup
    3. Type server then the FQDN or IP address of the domain controller where the Defender for Identity sensor is installed. For example, server contosodc.contoso.azure
      • Make sure to replace contosodc.contoso.azure and contoso.azure with the FQDN of your Defender for Identity sensor and domain name respectively.
    4. Type ls -d contoso.azure
    5. Repeat steps 3 and 4 for each sensor you wish to test.
    6. From the Defender for Identity console, open the entity profile for the computer you ran the connectivity test from.
    7. Check the related logical activity and confirm connectivity.


    If the domain controller you wish to test is your first deployed sensor, wait at least 15 minutes to allow the database backend to finish initial deployment of the necessary microservices before you attempt to verify the related logical activity for that domain controller.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 11 times, 1 visits today)