Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What’s New

In March 2022, three new versions of Microsoft Defender for Identity were released:

1. Version 2.175, released on March 6, 2022
2. Version 2.176, released on March 16, 2022
3. Version 2.177, released on March 27, 2022

Response Actions General Availability

In a blogpost, Microsoft announced the general availability of the new response actions in Microsoft Defender for Identity, targeting on-premises Active Directory accounts in the event that an identity is compromised.

With this new capability being introduced in Microsoft 365 Defender, you can now take the following actions directly on the on-premises account:

• Disable user: this will temporarily prevent a user from logging in to the network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
• Reset user password: this will prompt the user to change their password on the next logon, ensuring that this account cannot be used for further impersonation attempts.

Version information in Add/Remove programs

Beginning with version 2.176, released on March 16th, when installing the Defender for Identity sensor from a new package, the sensor's version under Add/Remove Programs will appear with the full version number (for example, 2.176.x.y), as opposed to the static 2.0.0.0 that was previously shown.

It will continue to show that version (the one installed through the package) even though the version will be updated through the automatic updates from the Defender for Identity cloud services. The real version can be seen in the sensor settings page in the portal, in the executable path or in the file version.

Monitoring of additional LDAP queries

Microsoft Defender for Identity version 2.177, released March 27th, can now monitor additional LDAP queries.

The additional LDAP activities that are now monitored are sent over the Active Directory Web Service protocol and act like normal LDAP queries. To have visibility into these activities, you need to enable the 15 Field Engineering diagnostic setting to verbose (5) and enabling several other NTDS parameters on all domain controllers in the domain. The events with Event ID 1644 that are generated with these settings cover LDAP activities in the Active Directory domain and is primarily used to identify expensive, inefficient, or slow Lightweight Directory Access Protocol (LDAP) searches.

Use the following lines of Windows PowerShell in an elevated PowerShell window to enable the generation of events with Event ID 1644:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\NTDS\Diagnostics" -Name "15 Field Engineering" -Value 5 -PropertyType DWORD -Force

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters" -Name "Expensive Search Results Threshold" -Value 1 -PropertyType DWORD –Force

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters" -Name "Inefficient Search Results Threshold" -Value 1 -PropertyType DWORD -Force

IMPROVEMENTS AND BUG FIXES

All three March 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.