Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
In March 2023, three new versions of Microsoft Defender for Identity were released:
- Version 2.199, released on March 5, 2023
- Version 2.200, released on March 16, 2023
- Version 2.201, released on March 27, 2023
These releases introduced the following functionality:
Disabling SAM-R queried HoneyTokens
While version 2.199 addressed an issue where some exclusions for the Honeytoken was queried via SAM-R alert weren't functioning properly, the release notes for version 2.201 mention that the team is in the process of disabling the SAM-R honeytoken alert. While these types of accounts should never be accessed or queried, Microsoft is aware that certain legacy systems may use these accounts as part of their regular operations.
If this functionality is necessary for your organization, admins can always create an advanced hunting query and use it as a custom detection.
Enhancements to the Directory Services Object Auditing health alert
Microsoft has addressed detection logic issues in the Directory Services Object Auditing health alert for:
- Non-English operating systems
- Windows Server 2012 with Directory Services schemas earlier than version 87
Removal of two prerequisites
Microsoft removed the prerequisite of configuring a Directory Services account for the sensors on Domain Controllers, AD FS Servers and Web Application Proxy servers to start.
Microsoft also no longer requires logging of events with Event ID 1644. If your organization has the following registry settings configured, admins can remove them:
- 15 Field Engineering
- Expensive Search Results Threshold
- Inefficient Search Results Threshold
- Search Time Threshold (msecs)
Updates to Identity Advanced Hunting tables
Version 2.199 introduced updated NTLM protocol name for the Identity Advanced Hunting tables: The old protocol name Ntlm will now be the new protocol name NTLM, in Advanced Hunting Identity tables. ( IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents). If you're currently using the Ntlm protocol in case-sensitive format from the Identity event tables, you should change it to NTLM.
Improvements and bug fixes
All versions include improvements and bug fixes for the internal sensor infrastructure.