This article provides you with a readiness roadmap list of resources that help you get started with Microsoft Defender for Identity.
Understanding Microsoft Defender for Identity
Microsoft Defender for Identity is a cloud service that helps identify and protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats.
To learn more about Defender for Identity:
- Defender for Identity overview
- Defender for Identity introductory video (25 minutes)- Full
- Defender for Identity deep dive video (75 minutes)- Full
Deployment decisions
Defender for Identity is comprised of a Cloud service residing in Azure, and integrated sensors that can be installed on domain controllers. If you are using physical servers, capacity planning is critical. Get help from the sizing tool to allocate space for your sensors:
- Defender for Identity sizing tool – The sizing tool automates collection of the amount of traffic Defender for Identity monitors. It automatically provides supportability and resource recommendations for sensors.
- Defender for Identity capacity planning guidance
Deploy Defender for Identity
Use these resources to help you set up Defender for Identity, connect to Active Directory, download the sensor package, set up event collection, and optionally integrate with your VPN, and set up honeytoken accounts and exclusions.
- Try Defender for Identity (part of EMS E5) The trial is valid for 90 days.
- Defender for Identity Set up Follow these steps to deploy Defender for Identity in your environment.
- Integrate Defender for Identity with Microsoft Defender for Endpoint
Defender for Identity settings
When creating your Defender for Identity instance, the basic settings necessary are configured automatically. There are several additional configurable settings in Defender for Identity to improve detection and alert accuracy for your environment, such as VPN integration, SAM required permissions, and advanced audit policy settings.
- VPN integration
- SAM-R required permissions
- Audit policy settings – Audit your domain controller health before and after a Defender for Identity deployment.
Work with Defender for Identity
After Defender for Identity is up and running, view security alerts in the Defender for Identity portal activity timeline. The activity timeline is the default landing page after logging in to the Defender for Identity portal. By default, all open security alerts are shown on the activity timeline. You can also see the severity assigned to each alert. Investigate each alert by drilling down into the entities (computers, devices, users) to open their profile pages with more information. Lateral movement paths show potential moves that can be made in your network and sensitive users at risk. Investigate and remediate exposure using the lateral movement path detection graphs. These resources help you work with Defender for Identity’s security alerts:
- Defender for Identity security alert guide Learn to triage and take the next steps with your Defender for Identity detections.
- Defender for Identity lateral movement paths
- Tag groups as sensitive Gain visibility into credential exposure on sensitive security groups.
Security best practices
- Defender for Identity Frequently Asked Questions – This article provides a list of frequently asked questions about Defender for Identity and provides insight and answers.
Community resources
Blog: Defender for Identity blog
Public Community: Defender for Identity Tech Community
Private Community: Defender for Identity Yammer Group