Tutorial: Investigate a user
The Microsoft Defender for Identity features explained on this page are also accessible using the new portal.
Microsoft Defender for Identity alert evidence and lateral movement paths provide clear indications when users have performed suspicious activities or indications exist that their account has been compromised. In this tutorial you'll use the investigation suggestions to help determine the risk to your organization, decide how to remediate, and determine the best way to prevent similar future attacks.
- Gather information about the user.
- Investigate activities that the user performed.
- Investigate resources the user accessed.
- Investigate lateral movement paths.
Recommended investigation steps for suspicious users
Check and investigate the user profile for the following details and activities:
Who is the user?
- Is the user a sensitive user (such as admin, or on a watchlist, etc.)?
- What is their role within the organization?
- Are they significant in the organizational tree?
Suspicious activities to investigate:
- Does the user have other opened alerts in Defender for Identity, or in other security tools such as Microsoft Defender for Endpoint, Azure Security Center and/or Microsoft CAS?
- Did the user have failed log ons?
- Which resources did the user access?
- Did the user access high value resources?
- Was the user supposed to access the resources they accessed?
- Which computers did the user log in to?
- Was the user supposed to log in to those computers?
- Is there a lateral movement path (LMP) between the user and a sensitive user?
- Investigate a computer
- Working with security alerts
- Working with lateral movement paths
- Reconnaissance alerts
- Compromised credential alerts
- Lateral movement alerts
- Domain dominance alerts
- Exfiltration alerts
- Check out the Defender for Identity forum!
- Try our interactive guide: Investigate and respond to attacks with Microsoft Defender for Identity