SEC02 - Defender for Identity: 3-Wk Proof of Concept (PoC)

Microsoft Defender for Identity monitors your on-premise active directory for user and entity behavior, changes to group membership, privileged access usage and analyses this information to recognize possible threats, like reconnaissance, compromised credentials, lateral movements and other known attack methods. Analysis is done in real-time and gives visibility into starting or ongoing attacks and enables companies to respond early in the attack and prevent attackers from getting access to vital infrastructure.​

We typically discuss Microsoft Defender for Identity with customers that have legacy infrastructure components that rely on an active directory infrastructure and where a compromise could be devastating for the business. Our customers consider Defender for Identity when replacing existing tools that perform advanced analytics based on information from active directory or as a part of implementing other parts of the Microsoft cloud security stack. ​

Start with ingesting data by installing a sensor on one of the domain controllers that serves user logins. This will give insights into how data is analyzed and how the domain controller is affected by the on-board sensor. ​

1. PLANNING: Sensor type, Initial capacity overview, integrations, syslog integration, honeytoken account
2. SETUP DEFENDER FOR IDENTITY: Enable Defender for Identity, install sensors, setup honeytoken account and integrations
3. ANALYSE INFORMATION: Overview of received alerts and sensor health
4. CONCLUSIONS & NEXT STEP: Document learnings and conclusions, present findings