Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
What’s New
In September 2022, three new versions of Microsoft Defender for Identity were released:
- Version 2.189, released on September 4, 2022
- Version 2.190, released on September 11, 2022
- Version 2.191, released on September 19, 2022
These releases introduced the following functionality:
More activities to trigger honeytoken alerts
Microsoft Defender for Identity offers the ability to define honeytoken accounts, which are used as traps for malicious actors. Any authentication associated with these honeytoken accounts (normally dormant), triggers a honeytoken activity (external ID 2014) alert.
New for version 2.191, any LDAP or SAMR query against these honeytoken accounts will trigger an alert. In addition, if event 5136 is audited, an alert will be triggered when one of the attributes of the honeytoken was changed or if the group membership of the honeytoken was changed.
Updated assessment: Unsecure domain configurations
Since version 2.190, the unsecure domain configuration assessment, available through Microsoft Secure Score, now assesses the domain controller LDAP signing policy configuration and alerts if it finds an unsecure configuration.
Improvements and bug fixes
All September 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.
Login