Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In November 2022, one new version of Microsoft Defender for Identity was released: Version 2.194. This version was released on November 10, 2022.
This release introduced the following functionality:
New Health Alert
Just like with version 2.192 (October 23, 2022), a new health alert was introduced. As Defender for Identity relies on healthy sensors on all Domain Controllers, health alerts help keep an eye on sensor health.
When Directory Services Advanced Auditing is not configured correctly, an health alert is shown on the Sensors settings page in the Microsoft 365 Defender portal with Medium severity. Admins should reconfigure the Advanced Auditing settings to remediate this issue. Microsoft's documentation on this advices to configure these settings using changes to the Default Domain Controllers Policy in Group Policy Management, but my recommendations would be to:
- Configure the required settings in a separate Group Policy object and target it at the Domain Controllers OU. This way, the Default Domain Controllers Policy can be reset when needed without impacting Microsoft Defender for Identity.
- Configure the required preferences in a separate Group Policy object and target it at the Domain Controllers OU. This way, settings and preferences are not stored in one Group Policy object and do not impact the speed with which Group Policy is applied.
Honeytoken issues resolved
Microsoft Defender for Identity offers the ability to define honeytoken accounts, which are used as traps for malicious actors. Any authentication associated with these honeytoken accounts (normally dormant), triggers a honeytoken activity (external ID 2014) alert.
Starting with Defender for Identity version 2.191, any LDAP or SAMR query against these honeytoken accounts will trigger an alert. In addition, if event 5136 is audited, an alert will be triggered when one of the attributes of the honeytoken was changed or if the group membership of the honeytoken was changed.
However, some of these changes were not enabled properly. Those issues have been resolved now.
Defender for Endpoint integration no longer supported
Previously, the forwarding of Defender for Identity alerts to Defender for Endpoint required separate actions. This integration between Defender for Endpoint and Defender for Identity provides the flexibility of conducting cyber security investigation across activities and identities. Per December 2022, the integration with Microsoft Defender for Endpoint from Defender for Identity is no longer supported .
Microsoft highly recommends using the Microsoft 365 Defender portal which has the integration built-in.
Improvements and bug fixes
Version 2.194 includes improvements and bug fixes for the internal sensor infrastructure.