Adjust alert thresholds

This article describes how to configure the number of false positives by adjusting thresholds for specific Microsoft Defender for Identity alerts.

Some Defender for Identity alerts rely on learning periods to build a profile of patterns, and then distinguish between legitimate and suspicious activities. Each alert also has specific conditions within the detection logic to help distinguish between legitimate and suspicious activities, such as alert thresholds and filtering for popular activities.

Use the Adjust alert thresholds page to customize the threshold level for specific alerts to influence their alert volume. For example, if you're running comprehensive testing, you might want to lower alert thresholds to trigger as many alerts as possible.

Alerts are always triggered immediately if the Recommended test mode option is selected, or if a threshold level is set to Medium or Low, regardless of whether the alert's learning period has already completed.

Note

The Adjust alert thresholds page was previously named Advanced settings. For details about this transition and how any previous settings were retained, see our What's New announcement.

Prerequisites

To view the Adjust alerts thresholds page in Microsoft Defender XDR, you need access at least as a Security viewer.

To make changes on the Adjust alerts thresholds page, you need access at least as a Security administrator.

Define alert thresholds

We recommend changing alert thresholds from the default (High) only after careful consideration.

For example, if you have NAT or VPN, we recommend that you consider any changes to relevant detections carefully, including Suspected DCSync attack (replication of directory services) and Suspected identity theft detections.

To define your alert thresholds:

  1. In Microsoft Defender XDR, go to Settings > Identities > Adjust alert thresholds.

    Screenshot of the new Adjust alert thresholds page.

  2. Locate the alert where you want to adjust the alert threshold and select the threshold level you want to apply.

    • High is the default value, and applies standard thresholds to reduce false positives.
    • Medium and Low thresholds increase the number of alerts generated by Defender for Identity.

    When you select Medium or Low, details are bolded in the Information column to help you understand how the change affects the alert behavior.

  3. Select Apply changes to save changes.

Select Revert to default and then Apply changes to reset all alerts to the default threshold (High). Reverting to default is irreversible and any changes made to your threshold levels are lost.

Switch to test mode

The Recommended test mode option is designed to help you understand all Defender for Identity alerts, including some related to legitimate traffic and activities so that you can thoroughly evaluate Defender for Identity as efficiently as possible.

If you recently deployed Defender for Identity and want to test it, select the Recommended test mode option to switch all alert thresholds to Low and increase the number of alerts triggered.

Threshold levels are read-only when the Recommended test mode option is selected. When you're finished testing, toggle the Recommended test mode option back off to return to your previous settings.

Select Apply changes to save changes.

Supported detections for threshold configurations

The following table describes the types of detections that support adjustments for threshold levels, including the effects of Medium and Low thresholds.

Cells marked with N/A indicate that the threshold level is not supported for the detection

Detection Medium  Low
Security principal reconnaissance (LDAP) When set to Medium, this detection triggers alerts immediately, without waiting for a learning period, and also disables any filtering for popular queries in the environment. When set to Low, all support for the Medium threshold applies, plus a lower threshold for queries, single scope enumeration, and more.
Suspicious additions to sensitive groups N/A  When set to Low, this detection avoids the sliding window and ignores any previous learnings. 
Suspected AD FS DKM key read  N/A  When set to Low, this detection triggers immediately, without waiting for a learning period. 
Suspected Brute Force attack (Kerberos, NTLM)  When set to Medium, this detection ignores any learning done and has a lower threshold for failed passwords.  When set to Low, this detection ignores any learning done and has the lowest possible threshold for failed passwords. 
Suspected DCSync attack (replication of directory services)  When set to Medium, this detection triggers immediately, without waiting for a learning period.  When set to Low, this detection triggers immediately, without waiting for a learning period, and avoids IP filtering like NAT or VPN. 
Suspected Golden Ticket usage (forged authorization data)  N/A When set to Low, this detection triggers immediately, without waiting for a learning period. 
Suspected Golden Ticket usage (encryption downgrade)  N/A When set to Low, this detection triggers an alert based on lower confidence resolution of a device. 
Suspected identity theft (pass-the-ticket)  N/A  When set to Low, this detection triggers immediately, without waiting for a learning period, and avoids IP filtering like NAT or VPN. 
User and Group membership reconnaissance (SAMR)  When set to Medium, this detection triggers immediately, without waiting for a learning period.  When set to Low, this detection triggers immediately and includes a lower alert threshold. 

For more information, see Security alerts in Microsoft Defender for Identity.

Next step

For more information, see Investigate Defender for Identity security alerts in Microsoft Defender XDR.