What's New

Identity timeline

The updated User page in the Microsoft 365 Defender portal now has a new look and feel, with an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days, and it unifies the user’s identity entries across all available solutions: Defender for Identity, Defender for Cloud Apps and Defender for Endpoint. By using the timeline, admins can easily focus on activities that the user performed (or were performed on them), in specific timeframes.

Improvements to honeytoken alerts

In Defender for Identity v2.191, Microsoft introduced several new scenarios to the honeytoken activity alert. Based on customer feedback, Microsoft has decided to split the honeytoken activity alert into five separate alerts:

1. Honeytoken user was queried via SAM-R.
2. Honeytoken user was queried via LDAP.
3. Honeytoken user authentication activity
4. Honeytoken user had attributes modified.
5. Honeytoken group membership changed.

Additionally, Microsoft has added exclusions for these alerts, providing a customized experience for your organization's environment.

Suspicious certificate usage over Kerberos protocol (PKINIT) alert

Microsoft introduced a new security alert: Suspicious certificate usage over Kerberos protocol (PKINIT). Many of the techniques for abusing Active Directory Certificate Services (AD CS) involve the use of a certificate in some phase of the attack. Moving forward, Microsoft Defender for Identity will alert admins when it observes such suspicious certificate usage. This behavioral monitoring approach will provide comprehensive protection against AD CS attacks, triggering an alert when a suspicious certificate authentication is attempted against a Domain Controller with a Defender for Identity sensor installed.

Automatic attack disruption

Defender for Identity now works together with Microsoft 365 Defender to offer Automated Attack Disruption. This means that, for signals coming from Microsoft 365 Defender, Defender for Identity can trigger the Disable User action. These actions are triggered by high-fidelity XDR signals, combined with insights from the continuous investigation of thousands of incidents by Microsoft’s research teams. The action suspends the compromised user account in Active Directory and syncs this information to Azure AD.

Note:
Specific users can be excluded from the automated response actions.

Remove learning period

The alerts generated by Defender for Identity are based on various factors such as profiling, deterministic detection, machine learning, and behavioral algorithms that it has learned about your organization's network. The full learning process for Defender for Identity can take up to 30 days per Domain Controller. However, there may be instances where admins would like to receive alerts even before the full learning process has been completed. In such cases, admins can turn off the learning period for the affected alerts by enabling the Remove learning period feature.

New way of sending alerts to Microsoft 365 Defender

A year ago, Microsoft announced that all of Microsoft Defender for Identity experiences are available in the Microsoft 365 Defender portal. In the upcoming month, Microsoft gradually switches the primary alert pipeline from Defender for Identity > Defender for Cloud Apps > Microsoft 365 Defender to Defender for Identity > Microsoft 365 Defender. This means that status updates in Defender for Cloud Apps will not be reflected in Microsoft 365 Defender and vice versa.

This change should significantly reduce the time it takes for alerts to appear in the Microsoft 365 Defender portal. As part of this migration, all Defender for Identity policies will no longer be available in the Defender for Cloud Apps portal as of March 5. As always, Microsoft recommends using the Microsoft 365 Defender portal for all Defender for Identity experiences.