Edit

Defender for Identity entity tags in Microsoft Defender XDR

  • Article

Applies to:

  • Microsoft Defender XDR
  • Defender for Identity

This article explains how to apply Microsoft Defender for Identity entity tags in Microsoft Defender XDR.

Important

As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.

Entity tags

In Microsoft Defender XDR, you can set three types of Defender for Identity entity tags: Sensitive tags, Honeytoken tags, and Exchange server tags.

To set these tags, in Microsoft Defender XDR, go to Settings and then Identities.

The Identities option under the Name column in the Settings page

The tag settings will appear under Entity tags.

The Entity tags pane

To set each type of tag, follow the instructions below.

Sensitive tags

The Sensitive tag is used to identify high value assets. The lateral movement path also relies on an entity's sensitivity status. Some entities are considered sensitive automatically by Defender for Identity. For a list of those assets, see Sensitive entities.

You can also manually tag users, devices, or groups as sensitive.

  1. Select Sensitive. You will then see the existing sensitive Users, Devices, and Groups.

    The Devices tab in the Sensitive entities menu item

  2. Under each category, select Tag... to tag that type of entity. For example, under Groups, select Tag groups. A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box.

    The option to add a group

  3. Select your group, and click Add selection.

    The Add selection option

Honeytoken tags

Honeytoken entities are used as traps for malicious actors. Any authentication associated with these honeytoken entities triggers an alert.

You can tag users or devices with the Honeytoken tag in the same way you tag sensitive accounts.

  1. Select Honeytoken. You'll then see the existing honeytoken Users and Devices.

    Honeytoken entities.

  2. Under each category, select Tag... to tag that type of entity. For example, under Users, select Tag users. A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box.

    The option to add users

  3. Select your user, and click Add selection.

    The option to add a selected user

Exchange server tags

Defender for Identity considers Exchange servers as high-value assets and automatically tags them as Sensitive. You can also manually tag devices as Exchange servers.

  1. Select Exchange server. You'll then see the existing devices labeled with the Exchange server tag.

    The Exchange server menu item

  2. To tag a device as an Exchange server, select Tag devices. A pane will open with the devices that you can select to tag. To search for a device, enter its name in the search box.

    The option to add a device

  3. Select your device, and click Add selection.

    The selection of a device

See also