Defender for Identity entity tags in Microsoft Defender XDR
- Microsoft Defender XDR
- Defender for Identity
As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
In Microsoft Defender XDR, you can set three types of Defender for Identity entity tags: Sensitive tags, Honeytoken tags, and Exchange server tags.
To set these tags, in Microsoft Defender XDR, go to Settings and then Identities.
The tag settings will appear under Entity tags.
To set each type of tag, follow the instructions below.
The Sensitive tag is used to identify high value assets. The lateral movement path also relies on an entity's sensitivity status. Some entities are considered sensitive automatically by Defender for Identity. For a list of those assets, see Sensitive entities.
You can also manually tag users, devices, or groups as sensitive.
Select Sensitive. You will then see the existing sensitive Users, Devices, and Groups.
Under each category, select Tag... to tag that type of entity. For example, under Groups, select Tag groups. A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box.
Select your group, and click Add selection.
Honeytoken entities are used as traps for malicious actors. Any authentication associated with these honeytoken entities triggers an alert.
You can tag users or devices with the Honeytoken tag in the same way you tag sensitive accounts.
Select Honeytoken. You'll then see the existing honeytoken Users and Devices.
Under each category, select Tag... to tag that type of entity. For example, under Users, select Tag users. A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box.
Select your user, and click Add selection.
Exchange server tags
Defender for Identity considers Exchange servers as high-value assets and automatically tags them as Sensitive. You can also manually tag devices as Exchange servers.
Select Exchange server. You'll then see the existing devices labeled with the Exchange server tag.
To tag a device as an Exchange server, select Tag devices. A pane will open with the devices that you can select to tag. To search for a device, enter its name in the search box.
Select your device, and click Add selection.