Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In December 2021, three new versions of Microsoft Defender for Identity were released:
- Version 2.165, released on December 6th, 2021
- Version 2.166, released on December 27th, 2021
- Version 2.167, released on December 29th, 2021
New security alert
A new security alerts was added: Suspicious modification of a sAMNameAccount attribute.
In this detection, initially released with Microsoft Defender for Identity release 2.166, a security alert is triggered whenever an attacker is trying to exploit CVE-2021-42278 and CVE-2021-42287, commonly referred to as the SAM Name impersonation and KDC Bamboozing vulnerabilities.
Microsoft introduced this detection in response to the publishing of these CVEs and encourages Active Directory admins to also deploy the following updates on Domain Controllers:
- KB5008102 AD Security Accounts Manager hardening changes (CVE-2021-42278)
- KB5008380 Authentication updates (CVE-2021-42287)
- KB5008602(OS Build 17763.2305) Out-of-band
improvements and bug fixes
All three December 2021 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.