Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In July 2022, two new versions of Microsoft Defender for Identity were released:
- Version 2.184, released on July 10, 2022
- Version 2.185, released on July 18, 2022
These releases introduced the following functionality:
NEW SECURITY Assessments
Since version 2.184, Defender for Identity now includes unsecure domain configuration assessments.
Microsoft Defender for Identity continuously monitors your environment to identify domains with configuration values that expose a security risk, and reports on these domains to assist you in protecting your environment.
Npcap instead of WinPcap
Starting with version 2.184, the Defender for Identity installation package will now install the Npcap component instead of the WinPcap drivers.
Wrongfully detected MacOS devices
In version 2.185, an issue was fixed where the Suspected Golden Ticket usage (nonexistent account) (external ID 2027) detection would wrongfully detect macOS devices.
Disable user now separated into disable and suspend
The Defender for Identity team decided to divide the Disable User action on the user page into two different actions:
- Disable User
This disables the user in Active Directory.
- Suspend User
This disables the user in Azure AD.
The time it takes to sync from Active Directory to Azure Active Directory can be crucial, so now defenders can choose to disable users one after the other, to remove the dependency on the synchronization between Active Directory and Azure AD.
A user disabled only in Azure AD will be overwritten by Active Directory, if the user is still active in Active Directory.
IMPROVEMENTS AND BUG FIXES
Both July 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.