Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use the following procedures to check that your sensors are working.
Note
The first time you activate the sensor on your domain controller, it might take up to an hour for the sensor to show as Running on the Sensors page. Subsequent activations show within five minutes.
Check the Identity Security dashboard
- In the Defender portal, select Identities > Dashboard, and review the details shown. Check for expected results from your environment. For more information, see Identity Security dashboard.
Confirm entity data in the Defender portal
In the Defender portal, select Assets > Devices, and select the machine for your new sensor. Confirm that Defender for Identity events appear on the device timeline.
Select Assets > Users and check for users from a newly onboarded domain. You can also use the global search to find specific users. Confirm that user details pages include Overview, Observed in organization, and Timeline data.
Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Confirm group membership details, group users, and group timeline data.
If no event data is found on the group timeline, you might need to create some manually. For example, add and remove users from the group in Active Directory.
For more information, see Investigate assets.
Verify data in advanced hunting tables
In the Defender portal's Advanced hunting page, run the following queries to verify that data appears in the expected tables:
IdentityDirectoryEvents | where TargetDeviceName contains "DC_FQDN" // insert domain controller FQDN IdentityInfo | where AccountDomain contains "domain" // insert domain IdentityQueryEvents | where DeviceName contains "DC_FQDN" // insert domain controller FQDN
For more information, see Advanced hunting in the Microsoft Defender portal.
Test Identity Security Posture Management (ISPM) recommendations
We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:
Trigger a new Resolve unsecure domain configurations recommendation by setting your Active Directory configuration to a noncompliant state, and then returning it to a compliant state. For example, run the following commands:
To set a non-compliant state
Set-ADObject -Identity ((Get-ADDomain).distinguishedname) -Replace @{"ms-DS-MachineAccountQuota"="10"}To return it to a compliant state:
Set-ADObject -Identity ((Get-ADDomain).distinguishedname) -Replace @{"ms-DS-MachineAccountQuota"="0"}To check your local configuration:
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuotaIn Microsoft Secure Score, select Recommended Actions to check for a new Resolve unsecure domain configurations recommendation. You might want to filter recommendations by the Defender for Identity product.
For more information, see Microsoft Defender for Identity's security posture assessments
Test alert functionality
Simulate risky activity in a test environment to verify that alerts are triggered as expected. For example:
Tag an account as a honeytoken account, and then try signing in to the honeytoken account against the activated domain controller.
Create a suspicious service on your domain controller.
Run a remote command on your domain controller as an administrator signed in from your workstation.
Verify that the expected alerts appear in the Defender portal.
For more information, see Investigate Defender for Identity security alerts in Microsoft Defender XDR.
Test remediation actions
Test remediation actions on a test user. For example:
In the Defender portal, go to the user details page for a test user.
From the Options menu, select any of the available remediation actions.
Check Active Directory for the expected activity.
For more information, see Remediation actions in Microsoft Defender for Identity.
Next steps
For more information, see Manage and update Microsoft Defender for Identity sensors.