Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Defender for Identity

Task 3.2: Investigate a persistence and privilege escalation alert

Microsoft Defender for Identity is a tool used to discover and analyze attacks. This is an important feature that will help ensure that your environment is secure. Please take your time when analyzing these attacks to become comfortable with their capabilities.

  1. In the DC01 RDP session, in the browser, if you are not already, go to https://security.microsoft.com.

  2. Under Incidents & alerts, select Alerts.

  3. Locate the Suspicious additions to sensitive groups alert.

  4. Select the Suspicious additions to sensitive groups alert to show the details page.

    Sus_Group_Add_MainAlert.jpg

    It can take several minutes for the alert to appear. Wait a few minutes, and then refresh the browser. If you don’t see the alert, you can continue to the next section and return to investigate the alert in a few minutes.

  5. Review the information regarding the Alert story on the details page.

  6. Review the options on the blade on the right side of the details page

    Sus_Group_Add_InvestigateBlade2.jpg

  7. Under the Incident details, select the Incident link.

  8. Review the Incident details page to discover related attacks. This will display additional alerts from the same user or machine.

  9. Review the Incident graph.

    Sus_Group_Add_IncidentGraph.jpg

  10. Select DC01 in the Incident graph, and then select Device details to display information relating to DC01.

    Sus_Group_Add_IncidentGraph_DC01.jpg

  11. Select the X Users, and then select View X Users to display information about the users involved in the attack.

    Sus_Group_Add_IncidentGraph_Users.jpg

  12. Select the X Security groups, and then select View X Security groups to display information about the security groups involved in the attack.

    Sus_Group_Add_IncidentGraph_Groups.jpg

  13. When finished reviewing the Device details, scroll back to the top, and then select Back to incident details.

    IP_Recon_BackToDetails.jpg

  14. Select the Alerts tab, and then select the Suspicious additions to sensitive groups to return to the alert details page.

  15. On the right panel, select Manage alert.

    IP_Recon_ManageAlert.jpg

  16. On the Manage alert blade, configure the options according to the table below.

    Heading Value
    Status Resolved
    Assigned to Assign to me
    Classification Confirmed activity
    Comment The user was legitimately added to the group

  17. Select Save, and then close the Manage alert blade.