Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What’s New

In October 2022, two new versions of Microsoft Defender for Identity were released:

1. Version 2.192, released on October 23, 2022
2. Version 2.193, released on October 30, 2022

These releases introduced the following functionality:

New security alert: Abnormal AD FS authentication using a suspicious certificate

The infamous Nobelium actor introduced a new attack on Active Directory Federation Services (AD FS), dubbed MagicWeb. It allows an attacker to implant a backdoor on compromised AD FS servers, which will enable impersonation as any domain user and thus access to external resources.

Defender for Identity version 2.193 and beyond provide an alert when this attack is used and the Defender for Identity sensors are installed on the AD FS servers.

Out of the box support for remediation actions

Defender for Identity can now leverage the LocalSystem account on the Domain Controller to perform remediation actions, like enable user, disable user, force user reset password, in addition to the group Managed Service Account (gMSA) option that is available since Defender for Identity version 2.169 (January 2022).

New health alert

As Defender for Identity relies on healthy sensors on all Domain Controllers, a new health alert has been introduced with Defender for Identity version 2.192.

When NTLM Auditing is not enabled on the server, a health alert is shown on the Sensors settings page in the Microsoft 365 Defender portal with Medium severity. Admins should enable NTLM Auditing on the Domain Controllers that display this alert.

Enable NTLM Auditing events according to the guidance as described at the Event ID 8004 section, in the Configure Windows Event collection page.

IMPROVEMENTS AND BUG FIXES

Both October 2022 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.