Edit

Share via

Investigate alerts in Microsoft Defender for Identity

Investigate alerts that are affecting your environment, understand what they mean, and how to resolve them.

Begin your investigation by selecting an alert from the Alerts page in the Microsoft Defender portal. The alerts page displays a list of all security alerts generated by Defender for Identity, including their severity, status, and impacted assets. Selecting an alert opens the alert page, which contains the alert title, the affected assets, the details side pane, and in some cases, an alert story.

Investigate using the alert story

The alert story provides a chronological view of the events related to the alert. It shows what happened, when it happened, and which entities were involved before and after the triggering event. It helps you follow the sequence of events and understand how the alert was generated.

The alert graph visually maps the users, devices, and domain controllers involved in the alert. It shows how these entities interacted, making it easier to identify relationships and patterns at a glance.

The Important information section includes additional technical details that support your investigation. It helps you understand what actions were taken, who initiated them, and where the activity originated. This section gives you raw evidence that can help validate the alert and guide your next steps.

Together, the alert story, alert graph, and Important information give you a complete picture of the alert. They help you understand what triggered the alert, which entities were involved, and whether the activity requires further investigation or action.

Note

The alert story is only visible for alerts that use the classic Defender for Identity structure. For more information about differences in how alerts are presented in the Defender portal, see View and manage alerts.

Take action from the details pane

Once you've selected an alert of interest, the details pane changes to display information about the selected alert, historic information when it's available, and offer recommended actions to take action on this alert.

Once you're done investigating, go back to the alert you started with, mark the alert's status as Resolved and classify it as either False alert or True alert. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.

Advanced security alert investigation

To get more details on a security alert, select Export on an alert details page to download the detailed Excel alert report.

Note

The export to Excel option is also only available for alerts that use the classic Defender for Identity structure. For more information about differences in how alerts are presented in the Defender portal, see View and manage alerts.

The downloaded file includes summary details about the alert on the first tab, including:

  • Title
  • Description
  • Start Time (UTC)
  • End Time (UTC)
  • Severity – Low/Medium/High
  • Status – Open/Closed
  • Status Update Time (UTC)
  • View in browser

All involved entities, including accounts, computers, and resources are listed, separated by their role. Details are provided for the source, destination, or attacked entity, depending on the alert.

Most of the tabs include the following data per entity:

  • Name

  • Details

  • Type

  • SamName

  • Source Computer

  • Source User (if available)

  • Domain Controllers

  • Accessed Resource: Time, Computer, Name, Details, Type, Service.

  • Related entities: ID, Type, Name, Unique Entity Json, Unique Entity Profile Json

  • All raw activities captured by Defender for Identity Sensors related to the alert (network or event activities) including:

    • Network Activities
    • Event Activities

Some alerts have extra tabs, such as details about:

  • Attacked accounts when the suspected attack used Brute Force.
  • Domain Name System (DNS) servers when the suspected attacked involved network mapping reconnaissance (DNS).

For example:

Screenshot showing a Microsoft Defender for Identity alert summary for network mapping reconnaissance (DNS), with summary details.

How can I use Defender for Identity information in an investigation?

Investigations can be as detailed as needed. Here are some ideas of ways to investigate using the data provided by Defender for Identity.

In each alert, the last tab provides the Related Entities. Related entities are all entities involved in a suspicious activity, without the separation of the "role" they played in the alert. Each entity has two Json files, the Unique Entity Json and Unique Entity Profile Json. Use these two Json files to learn more about the entity and to help you investigate the alert.

Unique Entity Json file

Includes the data Defender for Identity learned from Active Directory about the account. This includes all attributes such as Distinguished Name, SID, LockoutTime, and PasswordExpiryTime. For user accounts, includes data such as Department, Mail, and PhoneNumber. For computer accounts, includes data such as OperatingSystem, IsDomainController, and DnsName.

Unique Entity Profile Json file

Includes all data Defender for Identity profiled on the entity. Defender for Identity uses the network and event activities captured to learn about the environment's users and computers. Defender for Identity profiles relevant information per entity. This information contributes Defender for Identity's threat identification capabilities.

Screenshot showing the Related Entities tab of a Microsoft Defender for Identity alert report for Network mapping reconnaissance (DNS).

For more information about how to work with Defender for Identity security alerts, see Working with security alerts.

Related content