Note
The Microsoft Defender for Identity features explained on this page are also accessible using the new portal.
Microsoft Defender for Identity security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
- Reconnaissance phase alerts
- Compromised credential phase alerts
- Lateral movement phase alerts
- Domain dominance phase alerts
- Exfiltration phase alerts
To learn more about the structure and common components of all Defender for Identity security alerts, see Understanding security alerts.
Security alert name mapping and unique external IDs
The following table lists the mapping between alert names, their corresponding unique external IDs, and their Microsoft Defender for Cloud Apps alert IDs. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.
External IDs
Note
To disable any security alert, contact support.