Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Task 2.3: Investigate a reconnaissance and discovery alert

Microsoft Defender for Identity is a tool used to discover and analyze attacks. This is an important feature that will help ensure that your environment is secure. Please take your time when analyzing these attacks to become comfortable with their capabilities.

  1. Switch to the DC01 RDP session.

  2. In the browser, if you are not already, go to https://security.microsoft.com.

  3. On the left navigation panel, under Incidents & alerts, select Alerts.

  4. Locate and then select the User and IP address reconnaissance (SMB) alert to show the details page.

    IP_Recon_MainAlert.jpg

    It can take several minutes for the alert to appear. Wait a few minutes and then refresh the browser. If you don’t see the alert, you can continue to the next section and return to investigate the alert in a few minutes.

  5. Review the information regarding the Alert story on the details page.

  6. Review the options on the blade on the right side of the details page

    IP_Recon_InvestigateBlade2.jpg

  7. Under the Incident details, select the Incident link.

  8. Review the Incident details page to discover related attacks. This will display additional alerts from the same user or machine.

  9. Review the Incident graph.

    IP_Recon_IncidentGraph.jpg

  10. Select each object in the Incident graph to review the available options menu.

  11. Select one of the computer objects and then select Device details to display information relating to the object.

    IP_Recon_IncidentGraphDetail.jpg

  12. When finished reviewing the Device details, scroll back to the top, and then select Back to incident details.

    IP_Recon_BackToDetails.jpg

  13. Go to security.microsoft.com, and in Threat intelligence and select Threat analytics to and then review the details of the report.

    Everything is now integrated with the XDR portal, and MDI is no longer a separate entity.

    ThreatAnalytics.jpeg.jpg

  14. Close the Threat Analytics tabs and return to the Incident-Microsoft Defender tab.

  15. Select the Alerts tab, and then select User and IP address reconnaissance (SMB) to return to the alert details page.

  16. On the right panel, select Manage alert.

    IP_Recon_ManageAlert.jpg

  17. On the Manage alert blade, configure the options using the following information:

    Heading Value
    Status In progress
    Assigned to AlexW
    Classification Multi staged attack
    Comment This is part of a multi staged attack and requires further investigation. It has been assigned to Alex Wilbur.
  18. Select Save, and then close the Manage alert blade.