Microsoft Defender for Identity – Updated Advanced Settings Page

Last Updated on February 24, 2024 by Michael Morten Sonne

Intoduction

In Public Preview as this post is written

Introducing the Updated Advanced Settings Page for Microsoft Defender for Identity – Now “Alerts Thresholds”

Thrilled to share that the Microsoft Defender for Identity (MDI) team has revamped the Advanced Settings page, now known as ‘Alerts Thresholds.’, offering a more tailored and flexible approach to your monitoring preferences.

Defender for Identity alerts utilize learning periods to establish patterns and distinguish between legitimate and suspicious activities. Each alert incorporates specific conditions in the detection logic, including alert thresholds and filtering for popular activities. Utilize the Adjust alert thresholds page to tailor the threshold level for specific alerts, thereby influencing their alert volume.

What’s new

Now, with ‘Alerts Thresholds,’ you have unparalleled control over the threshold level for each alert on your list, regardless of the ‘Remove Learning Period’ setting. Let’s delve into the key updates:

  • Flexible Threshold Adjustment: Easily adjust the threshold level for each alert, empowering you to customize your monitoring experience according to your specific needs.
  • Default Behavior – High Level: The ‘High’ level represents the default behavior, ensuring a standard alert configuration for your convenience.
  • Alert Volume Control: Transition from ‘High’ to ‘Medium’ or ‘Low’ to fine-tune your alert volume based on your preferences and operational requirements.
  • Recommended Test Mode: Enable ‘Recommended Test Mode’ to set all thresholds to ‘Low,’ creating an ideal environment for comprehensive testing and analysis.

It’s important to note that alerts are triggered immediately under certain conditions. If the Recommended test mode option is selected, or if a threshold level is set to Medium or Low, alerts will be triggered promptly, regardless of whether the alert’s learning period has concluded. This flexibility allows users to actively manage and fine-tune the alerting behavior based on their specific testing or monitoring requirements, nice! 👌

Use cases

The enhanced ‘Alerts Thresholds’ feature opens up a multitude of use cases to optimize your MDI experience:

  • Validation of MDI Security Alerts – Removing Learning Periods:
    • Effectively validate MDI security alerts without constraints imposed by learning periods.
  • Adjust Alert Trigger Logic Based on Customer Needs:
    • Tailor alert trigger logic to meet specific customer requirements. For instance, fine-tune MDI detections with built-in thresholds, trigger delays, Suspected identity theft detections, Suspected DCSync attack (replication of directory services), and IP address profiling, ensuring accurate assessments such as identifying of NAT devices.

How to try it

Prerequisites

  • To view the Adjust alerts thresholds page in the Microsoft Defender XDR portal you need access at least as a Security viewer.
  • To make changes on the Adjust alerts thresholds page you need access at least as a Security administrator.

Enable Preview features

Change only the default and recommend alert thresholds from the default (High) only after careful consideration.

To experience this feature, it’s necessary to activate the Preview Features within the Microsoft Defender XDR Portal.

To do this, go to Home – Microsoft Defender > System > Settings > Preview features and set the toggle under Preview features from Off to On:

Enable Preview features for Microsoft Defender

The new settings page

You can start exploring the enhanced flexibility of the ‘Alerts Thresholds’ feature today. Dive into the revamped settings and unlock a new level of customization for your monitoring preferences.

Explore, customize, and stay secure with Microsoft Defender for Identity – now with ‘Alerts Thresholds.’

To find the portal, go to Home – Microsoft Defender > System > Settings >Identities > Alert and Thresholds

The Alert and Thresholds page
  • Find the alert you wish to modify the threshold for, and then choose the desired threshold level to apply. The options is:
    • High is the default value, and applies standard thresholds to reduce false positives.
    • Medium and Low thresholds increase the number of alerts generated by Defender for Identity.
  • If you choose either Medium or Low, the Information column will highlight key details to assist you in comprehending how the alteration influences the alert behavior – read it!
  • Select Apply changes to save your changes.

Select Revert to default and then Apply changes to reset all alerts to the default threshold (High). Returning to the default setting is permanent, and any adjustments made to your threshold levels will be discarded and cannot be recovered.

Activate Test Mode

The Recommended test mode feature is crafted to provide a understanding of all Defender for Identity alerts, encompassing those associated with genuine traffic and activities. This facilitates an efficient evaluation of Defender for Identity in your enviroment.

If you have recently implemented Defender for Identity, opt for the Recommended test mode to switch all alert thresholds to Low, thereby amplifying the number of triggered alerts.

During the Recommended test mode, threshold levels in the portal become read-only. Once your testing is complete, deactivate the Recommended test mode to revert to your initial settings.

Click on Apply changes to ensure the preservation of your modifications. Then you are ready! 🥳🔐

Supported detections for threshold configurations

The table below outlines the categories of detections that allow modifications to threshold levels, along with the implications of selecting Medium and Low thresholds.

Cells labeled as N/A signify that the threshold level is not applicable or supported for the specific detection. I think more will come over time

DetectionMedium High
Security principal reconnaissance (LDAP)When set to Medium, this detection triggers alerts immediately, without waiting for a learning period, and also disables any filtering for popular queries in the environment.When set to Low, all support for the Medium threshold applies, plus a lower threshold for queries, single scope enumeration, and more.
Suspicious additions to sensitive groupsN/A When set to Low, this detection avoids the sliding window and ignores any previous learnings. 
Suspected AD FS DKM key read N/A When set to Low, this detection triggers immediately, without waiting for a learning period. 
Suspected Brute Force attack (Kerberos, NTLM) When set to Medium, this detection ignores any learning done and has a lower threshold for failed passwords. When set to Low, this detection ignores any learning done and has the lowest possible threshold for failed passwords. 
Suspected DCSync attack (replication of directory services) When set to Medium, this detection triggers immediately, without waiting for a learning period. When set to Low, this detection triggers immediately, without waiting for a learning period, and avoids IP filtering like NAT or VPN. 
Suspected Golden Ticket usage (forged authorization data) N/AWhen set to Low, this detection triggers immediately, without waiting for a learning period. 
Suspected Golden Ticket usage (encryption downgrade) N/AWhen set to Low, this detection triggers an alert based on lower confidence resolution of a device. 
Suspected identity theft (pass-the-ticket) N/A When set to Low, this detection triggers immediately, without waiting for a learning period, and avoids IP filtering like NAT or VPN. 
User and Group membership reconnaissance (SAMR) When set to Medium, this detection triggers immediately, without waiting for a learning period. When set to Low, this detection triggers immediately and includes a lower alert threshold. 
This is the options as of this post is written – Credit: Microsoft

For additional information on all alerts within Defender for Identity, please refer to this page: Security alerts in Microsoft Defender for Identity – the list is loooong 🤣🔐

Review security alerts

Alerts from Defender for Identity can be accessed from multiple locations, including the Alerts page, the Incidents page, the pages of individual Devices, and from the Advanced hunting page. Here I show how to use the Alerts page.

In the Microsoft Defender XDR portal select Incidents & alerts > Alerts.

To see alerts from Defender for Identity, on the top-right select Filter, and then under Service sources select Microsoft Defender for Identity, and then select Apply.

Conclusion

In summary, the enhanced Alerts Thresholds feature in Microsoft Defender for Identity provides users with greater flexibility and customization options. Admins can now adjust threshold levels for specific alerts, optimizing their monitoring experience based on individual needs.

The introduction of Recommended Test Mode streamlines comprehensive testing by setting all thresholds to ‘Low’. However, users should be cautious when reverting to default settings, as it is an irreversible action.

Additionally, the ability to activate Test Mode allows for a thorough evaluation of Defender for Identity alerts, offering valuable insights into both legitimate and suspicious activities.

The read-only nature of threshold levels during test mode ensures consistency in testing, and users can easily apply changes as needed. The detailed table outlines supported detections for threshold adjustments, aiding users in making informed decisions.

Overall, these updates empower admins to fine-tune their alert configurations, contributing to a more efficient and tailored security monitoring experience.

It was an enjoyable experience testing it during the Private Preview phase as a participant in the Microsoft Customer Connection Program! 😉🔐

Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍

Stay tuned for the new post about something cool! 🥳

References

What’s new – Microsoft Defender for Identity | Microsoft Learn

Total
0
Shares
Previous Article

Entra ID - Global Secure Access Client - Installation of the Agent on Windows - Part 2

Next Article

PowerShell - Code Sign and validate files in a folder with optimized logic

Related Posts

Discover more from Sonne´s Cloud

Subscribe now to keep reading and get access to the full archive 🤝🧑‍💻

Join 15 other subscribers