What's New in Microsoft Defender for Identity in March 2023

Reading Time: 2 minutes

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).


What's New

In March 2023, three new versions of Microsoft Defender for Identity were released:

  1. Version 2.199, released on March 5, 2023
  2. Version 2.200, released on March 16, 2023
  3. Version 2.201, released on March 27, 2023

These releases introduced the following functionality:


Disabling SAM-R queried HoneyTokens

While version 2.199 addressed an issue where some exclusions for the Honeytoken was queried via SAM-R alert weren't functioning properly, the release notes for version 2.201 mention that the team is in the process of disabling the SAM-R honeytoken alert. While these types of accounts should never be accessed or queried, Microsoft is aware that certain legacy systems may use these accounts as part of their regular operations.

If this functionality is necessary for your organization, admins can always create an advanced hunting query and use it as a custom detection.


Enhancements to the  Directory Services Object Auditing health alert

Microsoft has addressed detection logic issues in the Directory Services Object Auditing health alert for:

  • Non-English operating systems
  • Windows Server 2012 with Directory Services schemas earlier than version 87


Removal of two prerequisites

Microsoft removed the prerequisite of configuring a Directory Services account for the sensors on Domain Controllers, AD FS Servers and Web Application Proxy servers to start.

Microsoft also no longer requires logging of events with Event ID 1644. If your organization has the following registry settings configured, admins can remove them:

  • 15 Field Engineering
  • Expensive Search Results Threshold
  • Inefficient Search Results Threshold
  • Search Time Threshold (msecs)


Updates to Identity Advanced Hunting tables

Version 2.199 introduced updated NTLM protocol name for the Identity Advanced Hunting tables: The old protocol name Ntlm will now be the new protocol name NTLM, in Advanced Hunting Identity tables. ( IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents). If you're currently using the Ntlm protocol in case-sensitive format from the Identity event tables, you should change it to NTLM.


Improvements and bug fixes

All versions include improvements and bug fixes for the internal sensor infrastructure.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.