Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In August 2021, four new versions of Microsoft Defender for Identity were released, introducing the following improvements:
New Security Alerts
Two new security alerts were added:
In this detection, initially released with Microsoft Defender for Identity release 2.158, a security alert is triggered whenever an attacker is trying to exploit the EFS-RPC against a Domain Controller. This attack vector is associated with the recent PetitPotam attack. Its external ID is 2416.
In Microsoft Defender for Identity release 2.159, the support for this detection is extended to trigger when a potential attacker communicates over an encrypted EFS-RPCchannel. Alerts triggered when the channel is encrypted will be treated as a Medium severity alert, as opposed to High when it’s not encrypted.
In this detection, initially released with Microsoft Defender for Identity release 2.158, a security alert is triggered whenever an attacker tries to change the msExchExternalHostName attribute on the Exchange object for remote code execution. Its external ID is 2414.
This detection relies on Windows event 4662, so it must be enabled beforehand.
IMPROVEMENTS AND BUG FIXES FOR INTERNAL SENSOR INFRASTRUCTURE
All four August 2021 Defender for Identity releases include improvements and bug fixes for the internal sensor infrastructure.