Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In July 2021, four new versions of Microsoft Defender for Identity were released, introducing the following improvements:
On July 4th, 2021, Microsoft released Defender for Identity v2.153. It includes a new security alert: Suspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation) (external ID 2415).
In this detection, Defender for Identity triggers a security alert whenever an attacker tries to exploit the Windows Print Spooler Service against a Domain Controller. This attack vector is associated with the print spooler exploitation, and is known as PrintNightmare and CVE-2021-34527.
The subsequent July 11th, 2021 release, dubbed v2.154, includes added improvements and detections for the print spooler exploitation, to cover more attack scenarios.
Improvements and bug fixes for internal sensor infrastructure
All four July 2021 Defender for Identity releases include improvements and bug fixes for the internal sensor infrastructure.
NPCAP Driver included in the sensor installation package
Per Defender for Identity release 2.156, released on July 25th, 2021, the NPCAP driver executable is included in its sensor installation package. This will ensure that Npcap driver will be used instead of the WinPcap driver, as WinPcap is no longer supported.
Current sensor deployments on Domain Controllers need to be uninstalled, together with the WinPcap driver and reinstalled with sensor installation packages version 2.156, or up. During installation, deselect the loopback support option and select WinPcap mode.