ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Azure Active DirectoryAzure AD Security

Event collection with Microsoft Defender for Identity

Understanding Windows event logs

Windows event logs are detailed records of events occurring in a Windows operating system, arranged chronologically for easy identification. These logs include both hardware and software events related to the system, security, and applications. By monitoring Windows event logs, network engineers can:

  • Track any system failures or errors
  • Investigate threats, attacks, or unauthorized activities
  • Perform effective diagnoses and resolve system issues
  • Foresee future issues based on current event log data

What is Microsoft Defender for Identity?

Formerly known as Azure Advanced Threat Protection (Azure ATP), Microsoft Defender for Identity (MDI) is a cloud-based security solution from Microsoft. It helps organizations monitor identities with high security in both on-premises and hybrid environments. With modern Identity Threat Detection and Response (ITDR), your organization’s security operation teams can prevent, detect, investigate, and respond to data breaches, threats, and attacks. By analyzing user profiles and security reports, MDI provides relevant insights on identity configurations, helping understand identity structures and suggesting best practices to enhance security.

How Microsoft Defender for Identity uses Windows event logs

MDI collects information about system events from Windows event logs to enhance security. For domain controllers to collect these specific events, you need to enable Advanced Audit Policy settings using a group policy.

Steps to enable advanced audit policy

Follow these steps to enable Advanced Audit Policy settings:

  1. Sign in to a Domain Controller or a server with GPMC access using Domain Administrator credentials.
  2. Navigate to Server Manager > Tools > Group Policy Management.
  3. In the left pane, right-click on Domain Controllers Organizational Units and select Create a GPO in this domain, and Link it here.
  4. In the New GPO window, enter a name for the new policy in the Name field and click OK.
  5. Right-click on the new policy and click Edit.
  6. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies to view various policy settings.
  7. Enable the policy settings given in the table below for both success and failure audit events and click OK.

Policy settings table:


Policy Setting

Account Logon

Audit Credential Validation

Account Management


Audit Computer Account Management

Audit Distribution Group Management

Audit Security Group Management

Audit User Account Management

DS Access

Audit Directory Service Access


Audit Security System Extension

By following the steps above, you can configure Windows event collection for Microsoft Defender for Identity. This enhances your organization’s security by providing insights from Windows event logs, enabling proactive monitoring and response to potential threats.

Related posts
Azure Active DirectoryAzure AD Management

How to implement app registration in Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to register apps using Microsoft Entra ID

Azure Active DirectoryAzure AD Security

How to monitor and report security events in Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to implement device enrollemnt via Microsoft Intune


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.