1
00:00:00,140 --> 00:00:04,240
Let's go out to Edge here, and I've already signed into the portal.

2
00:00:04,240 --> 00:00:08,840
Now you would need to sign up for Microsoft Defender for Identity,

3
00:00:08,840 --> 00:00:12,140
and once you have an account or you have a license,

4
00:00:12,140 --> 00:00:14,930
you then can sign into the MDI portal,

5
00:00:14,930 --> 00:00:17,820
which is going to be the name of your tenant,

6
00:00:17,820 --> 00:00:23,150
in my case, it's timwinfo.atp.azure.com.

7
00:00:23,150 --> 00:00:26,600
So it functions along the same lines as Azure,

8
00:00:26,600 --> 00:00:30,740
but remember that our point here, at least for the purpose of this lesson,

9
00:00:30,740 --> 00:00:35,650
is using Microsoft Defender for Identity to onboard our on‑premises

10
00:00:35,650 --> 00:00:40,260
Active Directory domains and receive proactive guidance,

11
00:00:40,260 --> 00:00:45,730
notifications, alerts, reports, health status from the service.

12
00:00:45,730 --> 00:00:49,830
Let's actually take a look at the timeline here because I've had this set up

13
00:00:49,830 --> 00:00:54,150
in my lab environment in the past for a little while anyway enough to where

14
00:00:54,150 --> 00:00:59,070
you can see some alerts just a little bit about how the UI behaves in the

15
00:00:59,070 --> 00:01:02,640
Microsoft Defender for Identity console.

16
00:01:02,640 --> 00:01:07,940
So here you can see it uses an issue format where you've got issues

17
00:01:07,940 --> 00:01:11,240
that are in different states just like you would in your IT Help

18
00:01:11,240 --> 00:01:15,260
Desk or in your Azure DevOps project, whatever the case might be.

19
00:01:15,260 --> 00:01:17,590
You can share the alerts, you can delete it,

20
00:01:17,590 --> 00:01:22,020
you can change its state, but this is giving me some pretty scary ideas here.

21
00:01:22,020 --> 00:01:23,290
It's saying that Tim Warner,

22
00:01:23,290 --> 00:01:29,140
so it's telling you who made whatever operation it is that flagged the alert,

23
00:01:29,140 --> 00:01:35,740
is running commands remotely on DC1 from MEM1 using PowerShell.

24
00:01:35,740 --> 00:01:38,110
Well, let's see if we can get some more details on that.

25
00:01:38,110 --> 00:01:41,140
We can download the details.

26
00:01:41,140 --> 00:01:43,640
This is just giving us a brief summary.

27
00:01:43,640 --> 00:01:48,640
Let's go over to Reports and let's change the view here.

28
00:01:48,640 --> 00:01:50,940
We'll bring it back a little bit,

29
00:01:50,940 --> 00:01:54,880
and we can download just a summary of alerts and health issues.

30
00:01:54,880 --> 00:01:57,900
It looks like it's coming down as an Excel file.

31
00:01:57,900 --> 00:02:00,070
I don't have Excel on my system.

32
00:02:00,070 --> 00:02:02,700
The good news is that because that's an Excel file,

33
00:02:02,700 --> 00:02:04,950
it should make it a lot easier to do whatever

34
00:02:04,950 --> 00:02:08,340
transformations you might need on that data.

35
00:02:08,340 --> 00:02:10,140
Let's see, in the system Health,

36
00:02:10,140 --> 00:02:13,360
this is giving us data on the back end of things.

37
00:02:13,360 --> 00:02:13,910
Remember,

38
00:02:13,910 --> 00:02:17,850
I explained that the way you onboard your on‑premises domain

39
00:02:17,850 --> 00:02:21,690
controllers into MDI is by installing a sensor on it.

40
00:02:21,690 --> 00:02:24,440
In fact, you download the sensor separately,

41
00:02:24,440 --> 00:02:27,910
although actually, it occurs to me you can get to the sensors right from here,

42
00:02:27,910 --> 00:02:29,840
right from this portal.

43
00:02:29,840 --> 00:02:35,310
So it's just giving you some health information on the connectivity between

44
00:02:35,310 --> 00:02:39,840
MDI that runs in the cloud and your on‑premises environment.

45
00:02:39,840 --> 00:02:44,440
Yeah, I'm wondering why I must be missing something fundamental here.

46
00:02:44,440 --> 00:02:48,760
Why I'm not able to see the details of this report here.

47
00:02:48,760 --> 00:02:49,800
Well let me take a look.

48
00:02:49,800 --> 00:02:53,640
If we try to drill into a machine, there we go.

49
00:02:53,640 --> 00:02:57,010
Yeah, so if we try to drill into one of our domain controllers,

50
00:02:57,010 --> 00:02:59,030
I have one here called DC1,

51
00:02:59,030 --> 00:03:02,760
this looks like it's giving us some more details here,

52
00:03:02,760 --> 00:03:03,540
right.

53
00:03:03,540 --> 00:03:07,240
So once we get to the Details page for an alert,

54
00:03:07,240 --> 00:03:12,240
I really like how it gives you hyperlinks because the tool is aware of

55
00:03:12,240 --> 00:03:15,340
all of your Active Directory account credentials.

56
00:03:15,340 --> 00:03:17,950
This is an account with a SAM name of Tim,

57
00:03:17,950 --> 00:03:20,500
as you can see tim@contoso.com,

58
00:03:20,500 --> 00:03:23,610
and because I've onboarded some domain machines here,

59
00:03:23,610 --> 00:03:25,780
a domain controller and a member server,

60
00:03:25,780 --> 00:03:27,180
those are also registering.

61
00:03:27,180 --> 00:03:31,300
Now in the case of external attackers or sensitive

62
00:03:31,300 --> 00:03:33,820
alert data that's come from outside,

63
00:03:33,820 --> 00:03:39,040
there you'll be able to trace IP addresses rather than identities.

64
00:03:39,040 --> 00:03:40,000
So let me see here.

65
00:03:40,000 --> 00:03:45,520
If we can continue to click, it's telling us that I did some PowerShell,

66
00:03:45,520 --> 00:03:46,440
and eventually,

67
00:03:46,440 --> 00:03:49,510
we can get down under evidence here and see exactly

68
00:03:49,510 --> 00:03:52,160
what I ran that triggered the alert.

69
00:03:52,160 --> 00:03:54,690
Now this could be useful from a couple perspective.

70
00:03:54,690 --> 00:03:58,440
For one thing, it could be part of a legitimate investigation,

71
00:03:58,440 --> 00:04:01,090
but another thing is that this could be benign traffic,

72
00:04:01,090 --> 00:04:03,740
which actually, in this case it is benign,

73
00:04:03,740 --> 00:04:07,310
which means that you can then go into Configuration and configure

74
00:04:07,310 --> 00:04:11,440
exemptions so you don't see these alerts happen over and over.

75
00:04:11,440 --> 00:04:16,240
You want to bring your signal to noise ratio into a good alignment.

76
00:04:16,240 --> 00:04:18,650
So lastly, let's go to Configuration here,

77
00:04:18,650 --> 00:04:19,570
and specifically,

78
00:04:19,570 --> 00:04:23,070
I want to go over to Sensors because this is where you're going to make

79
00:04:23,070 --> 00:04:25,490
that connection with your on‑premises environment.

80
00:04:25,490 --> 00:04:29,240
What you'll do is you'll download the sensor setup executable,

81
00:04:29,240 --> 00:04:33,250
and when you run that setup on one of your on‑premises domain controllers,

82
00:04:33,250 --> 00:04:36,620
you'll need to provide the access key that you've got here.

83
00:04:36,620 --> 00:04:40,320
It's basically an API key that you want to periodically

84
00:04:40,320 --> 00:04:43,440
regenerate so that if it is leaked,

85
00:04:43,440 --> 00:04:47,530
you don't have any rogue servers showing up in your MDI instance.

86
00:04:47,530 --> 00:04:52,490
It looks like the ATP sensor setup comes down as a zip about 82,

87
00:04:52,490 --> 00:04:56,040
83 MB, nothing too dramatic.

88
00:04:56,040 --> 00:05:02,440
Here is where we can authenticate specifically into our connected domain.

89
00:05:02,440 --> 00:05:05,870
Here is where we have some integration or at least an option for

90
00:05:05,870 --> 00:05:08,740
integrating Microsoft Defender for Endpoint.

91
00:05:08,740 --> 00:05:11,590
This is a theme that I've mentioned a couple of times in the

92
00:05:11,590 --> 00:05:15,180
training that these Microsoft Defender products are meant to

93
00:05:15,180 --> 00:05:18,040
integrate with each other wherever possible.

94
00:05:18,040 --> 00:05:20,540
So I think that's about all we need to understand

95
00:05:20,540 --> 00:05:23,030
about Microsoft Defender for Identity.

96
00:05:23,030 --> 00:05:27,010
I just wanted to go a bit beyond explaining what it is in its use

97
00:05:27,010 --> 00:05:31,100
case and show you the portal just so you can have more of a

98
00:05:31,100 --> 00:05:39,000
visual in your mind so that you'll be more confident yet when you sit and clear Exam AZ‑801.