Merge pull request #2496 from MicrosoftDocs/main

Publish main to live, 01/20/25, 10:30 AM PT

Author: Ruchika-mittal01

defender-xdr/media/eval-defender-xdr/defender-cloud-apps-siem-integration.svg

@@ -1,13 +1,13 @@
 ---
-title: How do I pilot and deploy Microsoft Defender for Identity>
-description: How to pilot and deploy Microsoft Defender for Identity in your production Microsoft 365 tenant.
+title: How do I pilot and deploy Microsoft Defender for Identity
+description: Learn how to pilot and deploy Microsoft Defender for Identity as part of Microsoft Defender XDR to enhance your organization's security posture.
 search.appverid: met150
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
 ms.author: dansimp
 author: dansimp
-ms.date: 05/31/2024
+ms.date: 01/12/2025
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -18,20 +18,20 @@ ms.collection:
   - zerotrust-solution
   - highpri
   - tier1
-ms.topic: conceptual
+ms.topic: concept-article
+#customerIntent: As a security admin, I want to pilot and deploy Microsoft Defender for Identity to evaluate it's ability to enhance my organization's security posture and protect against identity-based threats.
 ---
 
 # Pilot and deploy Microsoft Defender for Identity
 
-
 **Applies to:**
 - Microsoft Defender XDR
 
-This article provides a workflow for piloting and deploying Microsoft Defender for Identity in your organization. You can use these recommendations to onboard Microsoft Defender for Identity as an individual cybersecurity tool or as part of an end-to-end solution with Microsoft Defender XDR.
+This article provides a workflow for piloting and deploying Microsoft Defender for Identity in your organization. Use these recommendations to onboard Microsoft Defender for Identity as part of an end-to-end solution with Microsoft Defender XDR.
 
-This article assumes you have a production Microsoft 365 tenant and are piloting and deploying Microsoft Defender for Identity in this environment. This practice will maintain any settings and customizations you configure during your pilot for your full deployment.
+This article assumes you have a production Microsoft 365 tenant and are piloting and deploying Microsoft Defender for Identity in this environment. This practice will maintain any settings and customizations you configure during your pilot for your [full deployment](/defender-for-identity/deploy/deploy-defender-identity).
 
-Defender for Office 365 contributes to a Zero Trust architecture by helping to prevent or reduce business damage from a breach. For more information, see the [Prevent or reduce business damage from a breach](/security/zero-trust/adopt/prevent-reduce-business-damage-breach) business scenario in the Microsoft Zero Trust adoption framework.
+Defender for Identity contributes to a Zero Trust architecture by helping to prevent or reduce business damage from a breach. For more information, see the [Prevent or reduce business damage from a breach](/security/zero-trust/adopt/prevent-reduce-business-damage-breach) business scenario in the Microsoft Zero Trust adoption framework.
 
 ## End-to-end deployment for Microsoft Defender XDR
 
@@ -51,7 +51,7 @@ The articles in this series correspond to the following phases of end-to-end dep
 
 The following diagram illustrates a common process to deploy a product or service in an IT environment.
 
-:::image type="content" source="./media/eval-defender-xdr/adoption-phases.svg" alt-text="Diagram of the pilot, evaluate, and full deployment adoption phases." lightbox="./media/eval-defender-xdr/adoption-phases.svg":::
+:::image type="content" source="./media/eval-defender-xdr/adoption-phases.svg" alt-text="Diagram of the pilot, evaluate, and full deployment adoption phases." lightbox="./media/eval-defender-xdr/adoption-phases.svg" border="false":::
 
 You start by evaluating the product or service and how it will work within your organization. Then, you pilot the product or service with a suitably small subset of your production infrastructure for testing, learning, and customization. Then, gradually increase the scope of the deployment until your entire infrastructure or organization is covered.
 
@@ -65,16 +65,15 @@ Follow these steps:
 1. [Install and configure sensors](#step-2)
 1. [Configure event log and proxy settings on machines with the sensor](#step-3)
 1. [Allow Defender for Identity to identify local admins on other computers](#step-4)
-1. [Configure benchmark recommendations for your identity environment](#step-5)
-1. [Try out capabilities](#step-6)
+1. [Try out capabilities](#step-5)
 
 Here are the recommended steps for each deployment stage.
 
 | Deployment stage | Description |
 | --- | --- |
 | Evaluate | Perform product evaluation for Defender for Identity. |
-| Pilot | Perform Steps 1-6 for a suitable subset of servers with sensors in your production environment. |
-| Full deployment | Perform Steps 2-5 for your remaining servers, expanding beyond the pilot to include all of them. |
+| Pilot | Perform Steps 1-5 for a suitable subset of servers with sensors in your production environment. |
+| Full deployment | Perform Steps 2-4 for your remaining servers, expanding beyond the pilot to include all of them. |
 
 ### Protecting your organization from hackers
 
@@ -113,77 +112,64 @@ In this illustration:
 
 Defender for Identity sensors can be directly installed on the following servers:
 
-- AD DS domain controllers
-
-  The sensor directly monitors domain controller traffic, without the need for a dedicated server or the configuration of port mirroring.
-
-- AD CS servers
-- AD FS servers
-
-  The sensor directly monitors network traffic and authentication events.
+- **AD DS domain controllers**. The sensor directly monitors domain controller traffic, without the need for a dedicated server or the configuration of port mirroring.
+- **AD FS servers / AD CS servers**. The sensor directly monitors network traffic and authentication events.
 
 For a deeper look into the architecture of Defender for Identity, see [Microsoft Defender for Identity architecture](/defender-for-identity/architecture).
 
 <a name="step-1"></a>
 
 ## Step 1: Set up the Defender for Identity instance
 
-First, Defender for Identity requires some prerequisite work to ensure that your on-premises identity and networking components meet minimum requirements. Use the [Microsoft Defender for Identity prerequisites](/defender-for-identity/prerequisites) article as a checklist to ensure your environment is ready.
-
-Next, sign in to the Defender for Identity portal to create your instance and then connect this instance to your Active Directory environment.
-
-| Step | Description | More information |
-|---|---|---|
-| 1 | Create the Defender for Identity instance | [Quickstart: Create your Microsoft Defender for Identity instance](/defender-for-identity/install-step1) |
-| 2 | Connect the Defender for Identity instance to your Active Directory forest | [Quickstart: Connect to your Active Directory Forest](/defender-for-identity/install-step2) |
+Sign in to the Defender portal to start deploying supported services, including Microsoft Defender for Identity. For more information, see [Start using Microsoft Defender XDR](/defender-for-identity/deploy/deploy-defender-identity##start-using-microsoft-defender-xdr).
 
 <a name="step-2"></a>
 
-## Step 2: Install and configure sensors
+## Step 2: Install your sensors
+
+Defender for Identity requires some prerequisite work to ensure that your on-premises identity and networking components meet minimum requirements for you to install the Defender for Identity sensor in your environment.
 
-Next, download, install, and configure the Defender for Identity sensor on the domain controllers, AD FS, and AD CS servers in your on-premises environment.
+Once you're sure of your environment's readiness, plan your capacity, and verify connectivity to Defender for Identity. Then when you're ready, download, install, and configure the Defender for Identity sensor on the domain controllers, AD FS, and AD CS servers in your on-premises environment.
 
 | Step | Description | More information |
 |---|---|---|
-| 1 | Determine how many Microsoft Defender for Identity sensors you need. | [Plan capacity for Microsoft Defender for Identity](/defender-for-identity/capacity-planning) |
-| 2 | Download the sensor setup package | [Quickstart: Download the Microsoft Defender for Identity sensor setup package](/defender-for-identity/install-step3) |
-| 3 | Install the Defender for Identity sensor | [Quickstart: Install the Microsoft Defender for Identity sensor](/defender-for-identity/install-step4) |
-| 4 | Configure the sensor | [Configure Microsoft Defender for Identity sensor settings](/defender-for-identity/install-step5)|
+| 1 | Confirm that your environment meets Defender for Identity prerequisites. | [Microsoft Defender for Identity prerequisites](/defender-for-identity/prerequisites)|
+| 2 | Determine how many Microsoft Defender for Identity sensors you need. | [Plan capacity for Microsoft Defender for Identity](/defender-for-identity/capacity-planning) |
+| 3 | Verify connectivity to the Defender for Identity service | [Check network activity](/defender-for-identity/deploy/quick-installation-guide#check-network-connectivity) |
+| 4 | Download and install the Defender for Identity sensor | [Install Defender for Identity](/defender-for-identity/deploy/quick-installation-guide#install-defender-for-identity)  |
+| 5 | Configure the sensor | [Configure Microsoft Defender for Identity sensor settings](/defender-for-identity/deploy/configure-sensor-settings)|
 
 <a name="step-3"></a>
 
 ## Step 3: Configure event log and proxy settings on machines with the sensor
 
-On the machines that you installed the sensor on, configure Windows event log collection and Internet proxy settings to enable and enhance detection capabilities.
+On the machines that you installed the sensor on, configure Windows event log collection to enable and enhance detection capabilities.
 
 | Step | Description | More information |
 |---|---|---|
-| 1 | Configure Windows event log collection | [Configure Windows Event collection](/defender-for-identity/configure-windows-event-collection) |
-| 2 | Configure Internet proxy settings | [Configure endpoint proxy and Internet connectivity settings for your Microsoft Defender for Identity Sensor](/defender-for-identity/configure-proxy) |
+| 1 | Configure Windows event log collection | [Event collection with Microsoft Defender for Identity](/defender-for-identity/deploy/event-collection-overview) <br><br>[Configure audit policies for Windows event logs](/defender-for-identity/deploy/configure-windows-event-collection) |
 
 <a name="step-4"></a>
 
 ## Step 4: Allow Defender for Identity to identify local admins on other computers
 
-Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.
+Microsoft Defender for Identity lateral movement path (LMP) detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account.
 
 To ensure Windows clients and servers allow your Defender for Identity account to perform SAM-R, a modification to Group Policy must be made to add the Defender for Identity service account in addition to the configured accounts listed in the Network access policy. Make sure to apply group policies to all computers **except domain controllers**.
 
-For instructions on how to do this, see [Configure Microsoft Defender for Identity to make remote calls to SAM](/defender-for-identity/install-step8-samr).
+For instructions on how to do this, see [Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity](/defender-for-identity/deploy/remote-calls-sam).
 
 <a name="step-5"></a>
 
-## Step 5: Configure benchmark recommendations for your identity environment
-
-Microsoft provides security benchmark recommendations for customers using Microsoft Cloud services. The [Azure Security Benchmark](/security/benchmark/azure/overview) (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
-
-Implementing these recommendations can take some time to plan and implement. While these recommendations greatly increase the security of your identity environment, they shouldn't prevent you from continuing to evaluate and implement Microsoft Defender for Identity. These recommendations are provided here for your awareness.
+## Step 5: Try out capabilities
 
-<a name="step-6"></a>
+The Defender for Identity documentation includes the following articles that walk through the process of identifying and remediating various attack types:
 
-## Step 6: Try out capabilities
+- [Investigate assets](/defender-for-identity/investigate-assets), including suspicious users, groups, and devices
+- [Understand and investigate LMPs with Microsoft Defender for Identity](/defender-for-identity/understand-lateral-movement-paths)
+- [Understand security alerts](/defender-for-identity/understanding-security-alerts)
 
-The Defender for Identity documentation includes the following tutorials that walk through the process of identifying and remediating various attack types:
+For more information, see:
 
 - [Reconnaissance alerts](/defender-for-identity/reconnaissance-alerts)
 - [Compromised credential alerts](/defender-for-identity/compromised-credentials-alerts)
@@ -197,13 +183,14 @@ The Defender for Identity documentation includes the following tutorials that wa
 
 ## SIEM integration
 
-You can integrate Defender for Identity with Microsoft Sentinel or a generic security information and event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps. With Microsoft Sentinel, you can more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
+You can integrate Defender for Identity with Microsoft Sentinel as part of Microsoft's [unified security operations platform](/unified-secops-platform/) or a generic security information and event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps. With Microsoft Sentinel, you can more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
 
-:::image type="content" source="./media/eval-defender-xdr/defender-identity-siem-integration.svg" alt-text="A diagram that shows the architecture for Microsoft Defender for Identity with SIEM integration." lightbox="./media/eval-defender-xdr/defender-identity-siem-integration.svg":::
+Microsoft Sentinel includes a Microsoft Defender for XDR data connector to bring all signals from Defender XDR, including Defender for Identity, to Microsoft Sentinel. Use the unified security operations platform in the Defender portal as a single platform for end-to-end security operations (SecOps). 
 
-Microsoft Sentinel includes a Defender for Identity connector. For more information, see [Microsoft Defender for Identity connector for Microsoft Sentinel](/azure/sentinel/data-connectors/microsoft-defender-for-identity).
+For more information, see:
 
-For information about integration with third-party SIEM systems, see [Generic SIEM integration](/cloud-app-security/siem).
+- [Connect Microsoft Sentinel to the Microsoft Defender portal](/defender-xdr/microsoft-sentinel-onboard)
+- [Generic SIEM integration](/cloud-app-security/siem)
 
 ## Next step