What's new and What's learning period in Microsoft Defender for Identity

In this blog post, I will explain an advanced settings capability available in the Microsoft Defender for Identity, which will help the security admins in evaluating the product and tweaking the sensitivity level of the alerts.

What’s Learning Period in MDI? What are the latest enhancements added to that feature?

Ready? Let’s Go!!!

Introduction

Learning period is an advanced settings available in MDI and it’s turned on for the first 30 days by default. During that period, Microsoft Defender for identity monitors, learns and builds a profile of all the network normal activities.

When the 30 days is complete, the learning period is automatically turned off and admins will receive a health alert notification.

Learning Period

Learning period is very efficient when admins are evaluating the MDI capabilities, it will help MDI in building the baseline of the network, but it can cause a high volume of alerts at the same time triggered by legit activities during the first 30 days.

For example, when admins installed the MDI sensor on their domain controller, and they want to start receiving alerts immediately before the 30 days learning period ends. In that situation, admins can turn off the learning period by enabling the Remove learning period feature in MDI settings. In contrast, if admins don’t want to receive alerts immediately, and they want MDI to keep learning about their environment for the first 30 days, they can keep the Remove learning period feature off.

To access the Advanced settings page in Microsoft 365 Defender, you need access at least as a Security administrator or as a Global administrator.

To enable the Remove learning period feature.

1. In Microsoft 365 Defender, go to Settings > Identities > Advanced settings.
2. Use the toggle to turn the learning period on or off.

Learning Period New Enhancements

The MDI product team released a new enhancement for the learning period capability which allow the admins to determine the sensitivity level of the learning period for specific alerts.

Normal means that learn mode is turned off for the selected alert, Medium means that the detection triggers immediately and High means that the detection triggers immediately and includes a low alert threshold.

As an Example, admins turned on the Remove learning period feature and set Suspicious additions to sensitive groups alert sensitivity level with High mode. By default, MDI requires four weeks per domain controller starting from the first event to finish the learning period of this alert. However, admins and since they are testing and evaluating the product want to get alerts immediately if someone did any changes to a tagged sensitive group in the local active directory without waiting for the 4 weeks period to ends.

Supported alerts typed for learning period are as follow:

https://learn.microsoft.com/en-us/defender-for-identity/advanced-settings#supported-alert-types-for-learning-periods

Simulation Test

Assuming I am an admin who are evaluating the MDI capabilities and one of the alerts that I want to test is Suspicious additions to sensitive groups alert. For this purpose, I installed the MDI sensor on my domain controller, and I turned on the Removing learning period feature and set the sensitivity level of this alert to High mode.

With that in place, I am telling MDI that I want to receive an alert immediately if any changes have been made to any of my tagged sensitivity groups despite how much MDI requires to finish the learning period and building my network baseline.

In my MDI settings, I have tagged my Domain Admins group in local active directory as a sensitive group.

I Navigated to my local active directory, and I added myself to the domain admin group which is tagged already as a sensitive group in MDI.

and voila!! within minutes MDI triggered an alert stating that suspicious additions have been made to a sensitive group which is the domain admins group in my case.

alerts details will show the alert story, the added member and the modified sensitivity group.

Conclusion

Learning Period is a crucial feature during the MDI evaluation period. Always recommended to enable it with caution and to define your sensitivity level for each alert based on the use case.