Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In February 2023, one new version of Microsoft Defender for Identity was released: Version 2.198. This version was released on February 15, 2023. This release introduced the following functionality:
The updated User page in the Microsoft 365 Defender portal now has a new look and feel, with an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days, and it unifies the user’s identity entries across all available solutions: Defender for Identity, Defender for Cloud Apps and Defender for Endpoint. By using the timeline, admins can easily focus on activities that the user performed (or were performed on them), in specific timeframes.
Improvements to honeytoken alerts
In Defender for Identity v2.191, Microsoft introduced several new scenarios to the honeytoken activity alert. Based on customer feedback, Microsoft has decided to split the honeytoken activity alert into five separate alerts:
- Honeytoken user was queried via SAM-R.
- Honeytoken user was queried via LDAP.
- Honeytoken user authentication activity
- Honeytoken user had attributes modified.
- Honeytoken group membership changed.
Additionally, Microsoft has added exclusions for these alerts, providing a customized experience for your organization's environment.
Suspicious certificate usage over Kerberos protocol (PKINIT) alert
Microsoft introduced a new security alert: Suspicious certificate usage over Kerberos protocol (PKINIT). Many of the techniques for abusing Active Directory Certificate Services (AD CS) involve the use of a certificate in some phase of the attack. Moving forward, Microsoft Defender for Identity will alert admins when it observes such suspicious certificate usage. This behavioral monitoring approach will provide comprehensive protection against AD CS attacks, triggering an alert when a suspicious certificate authentication is attempted against a Domain Controller with a Defender for Identity sensor installed.
Automatic attack disruption
Defender for Identity now works together with Microsoft 365 Defender to offer Automated Attack Disruption. This means that, for signals coming from Microsoft 365 Defender, Defender for Identity can trigger the Disable User action. These actions are triggered by high-fidelity XDR signals, combined with insights from the continuous investigation of thousands of incidents by Microsoft’s research teams. The action suspends the compromised user account in Active Directory and syncs this information to Azure AD.
Specific users can be excluded from the automated response actions.
Remove learning period
The alerts generated by Defender for Identity are based on various factors such as profiling, deterministic detection, machine learning, and behavioral algorithms that it has learned about your organization's network. The full learning process for Defender for Identity can take up to 30 days per Domain Controller. However, there may be instances where admins would like to receive alerts even before the full learning process has been completed. In such cases, admins can turn off the learning period for the affected alerts by enabling the Remove learning period feature.
New way of sending alerts to Microsoft 365 Defender
A year ago, Microsoft announced that all of Microsoft Defender for Identity experiences are available in the Microsoft 365 Defender portal. In the upcoming month, Microsoft gradually switches the primary alert pipeline from Defender for Identity > Defender for Cloud Apps > Microsoft 365 Defender to Defender for Identity > Microsoft 365 Defender. This means that status updates in Defender for Cloud Apps will not be reflected in Microsoft 365 Defender and vice versa.
This change should significantly reduce the time it takes for alerts to appear in the Microsoft 365 Defender portal. As part of this migration, all Defender for Identity policies will no longer be available in the Defender for Cloud Apps portal as of March 5. As always, Microsoft recommends using the Microsoft 365 Defender portal for all Defender for Identity experiences.
Improvements and bug fixes
Version 2.198 includes improvements and bug fixes for the internal sensor infrastructure.