Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In February 2022, three new versions of Microsoft Defender for Identity were released:
- Version 2.172, released on February 8th, 2022
- Version 2.173, released on February 13th, 2022
- Version 2.174, released on February 20th, 2022
All Features now available in the Microsoft 365 Defender portal
Since February 8th, 2022, all Microsoft Defender for Identity features are available in the Microsoft 365 Defender portal. The availability of all Defender for Identity data and functionality in the Microsoft 365 Defender portal means all tasks can be done from a single place, and all extended detection and response (XDR) signals can now be found in one location.
This concludes the XDR journey the team has taken.
Defender for Identity integration with Secure Score
Since February 8th, 2022, all the identity security posture management assessments that were accessible in Defender for Cloud Apps are now available in Secure Score, which can be accessed directly through the Microsoft 365 Defender portal.
The Improvement actions can be filtered by product. Defender for Identity is now an available filter. Using the filter shows all available assessments being generated by data gathered by Defender for Identity. Clicking on any of those improvement actions will bring in a panel that allows security teams to investigate any exposed entities impacted by the assessment, see any implementation plan suggestions, any change history to the assessment and finally, the ability to edit the status and action plan as they see fit.
Defender for Identity integration with Microsoft 365 Defender Search
Since February 8th, 2022, the Universal Search Feature launching in the Microsoft 365 Defender portal offers a convenient search bar at the top of the portal screen.
Through the Defender for Identity integration with this feature, security teams can look for any entity being monitored, be it identity , endpoint, Office 365 data, and more.
Results can be interacted with directly from the search drop down, or security teams can opt to click on All users, or All devices, etc. to see all entities associated with that search term.
Onboarding and administration experience
Since February 8th, 2022, the onboarding process is now automatic for new organizations, This allows organizations to no longer manually configure a workspace. All the admin features are now made available under the Identities menu in Microsoft 365 Defender’s Settings.
Defender for Identity alerting and incident correlation
Since February 8th, 2022, Defender for Identity alerts surface into Microsoft 365 Defender’s alert queue. This makes them available to the auto incident correlation feature. This ensures that all the alerts that matter are available in one place, and that the scope of a breach can be ascertained quicker than before.
Advanced Hunting within Microsoft 365 Defender
Advanced hunting capabilities, including Defender for Identity data is an incredibly powerful method of giving threat hunters the ability to have an additional identity-focused lens to give their efforts more context, data, and insight.
Improved alert exclusion experience
The Defender for Identity made the interface through Microsoft 365 Defender more user friendly, including adding a useful search function and introducing global exclusions.
This means that any entity can be excluded from all alerts generated by Defender for Identity, helping with any testing scenarios you may have. This is due to be improved further soon, with complex logic for alert exclusions.
Fix for installing the sensor on Windows Server 2019 with KB5009557 installed
Version 2.173, released on February 13, 2022 addresses an issue installing the sensor on Windows Server 2019 with the January 11, 2022 cumulative update (KB5009557) installed, or on a server with hardened event log permissions. Previously, the installation of the Defender for Identity sensor would fail with the following error message:
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
Improved SIEM Alert Message
Version 2.174, released on February 20, 2022 improves the information sent to a Security Incident and Event Management (SIEM) solution, by including the host FQDN of the account involved in the alert to the message sent to the SIEM.
IMPROVEMENTS AND BUG FIXES
All three February 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.