Investigate attacks with Microsoft Defender for Identity

  • 20 minutes

You've learned that you can use Microsoft Defender for Identity to detect for different kinds of attacks to your organizations' identities. But as the security analyst for your organization, you also need to be able to understand them and so that you can address them and prevent them from happening again in the future. Here, you'll learn how to perform investigations in response to attacks.

Investigate malicious activity

An attack can emanate from within your corporate domain or from the outside. Commonly, an attacker may try to compromise a single computer or user account from the outside, and then use it as the launch pad for an assault on the rest of your system. If you observe alerts being triggered for unusual activity, you should investigate the sources of these alerts on your network. Microsoft Defender for Identity captures information that enables you to investigate the various user accounts, computers, and other entities that may be involved.

Investigate users

If activity is detected for a specific user, you can use the logs generated by Microsoft Defender for Identity to answer the following questions:

  • Who is this user? Should this user account actually exist or has it been created surreptitiously? Does this user have administrator rights? Do they have control over sensitive information in the system? Are they on a watch list—have you observed unusual activity by this account previously?
  • Has this user tripped other alerts in Microsoft Defender for Identity or in other tools, such as Microsoft Defender for Endpoint or Microsoft Defender for Cloud Apps?
  • Does this user have a record of failed sign-in attempts?
  • Which resources does this user normally access, and is the account now exhibiting a pattern of unusual requests. Is the user now attempting to access sensitive data?
  • Which computers has this user logged into and does the user normally connect to these computers?
  • Is there a lateral movement path between this user and an account that has access to more sensitive data? A relatively unprotected account on one computer might be part of a group that has access to more critical data on another machine. A lateral movement path enables an attacker to exploit the credentials for the weakly protected account to be used elsewhere in the domain.

A screenshot showing user activity for an investigation in Microsoft Defender for Identity.

Investigate computers

You can use Microsoft Defender for Identity to also track activity by computer. Using this information, you can pose the following questions when alerts are tripped:

  • Which user was signed in to the computer? Does this user normally use this computer? Which resources on the computer was the user attempting to access?
  • Have there been many recent failed sign-in attempts into this computer?
  • Has this computer tripped other alerts in Microsoft Defender for Identity or other solutions like Microsoft Defender for Endpoint?
  • Have any new programs been installed on this computer?
  • Have any files been uploaded to or from this computer?

A screenshot showing computer activity for an investigation in Microsoft Defender for Identity.

Investigate lateral movement paths

Lateral movement paths result from accounts that are deemed to be at risk. Once an at risk account is compromised, other accounts on the lateral movement path can become targets. Microsoft Defender for Identity can generate reports indicating possible lateral movement paths for an account.

A screenshot showing how to download lateral movement paths in Microsoft Defender for Identity.

To minimize the possibilities of lateral movement paths, you can consider the following best practices:

  • Make sure that users only provide administrative credentials when using hardened computers. If a user doesn't need to perform admin tasks, the user should sign in using an ordinary non-administrative account.
  • Only grant the necessary rights to users and groups.
  • Only grant access to the resources required by users and groups.

Investigate entities

An entity is a user, computer, or device within a domain. With Microsoft Defender for Identity, you'll get a detail page for each entity in a domain. It contains detailed information, including the resources the entity has access to and its history. The profile page uses the Microsoft Defender for Identity logical activity translator that can look at a group of activities occurring (aggregated up to a minute) and group them into a single logical activity to give you a better understanding of the actual activities of your users.

Explore attack investigation and response

Investigate and respond to attacks with Microsoft Defender for Identity.

Be sure to click the full-screen option in the video player. When you're done, use the Back arrow in your browser to come back to this page.