Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.
It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory, AD FS, and Certification Authority (CA) admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.
Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).
Alert learning period enhancements
Defender for Identity alert learning periods have been enhanced to provide more control over the learning period experience, including:
- Any new Defender for Identity (MDI) workspace now automatically has an alert learning period turned on for 30 days. After these 30 days , the learning period is automatically turned off and a health alert is triggered to notify admins.
- Admins can now configure the sensitivity used for specific alerts, and can also completely turn off learning for specific alerts.
During the learning period, Defender for Identity learns about your network and builds a profile of your network's normal activity. Learning periods can be useful for updating your baseline algorithms, but can also result in a high volume of alerts, some of which may be triggered by legitimate activity.
Defender for Identity reports moved to the main Reports area
Now, admins can access Defender for Identity reports from Microsoft 365 Defender's main Reports area instead of the Settings area.
Go hunt button for groups in Microsoft 365 Defender
Defender for Identity has added the Go hunt button for groups in Microsoft 365 Defender. Admins can use the Go hunt button to query for group-related activities and alerts during an investigation.
Defender for Identity has made internal improvements for latency, stability, and performance when transferring real-time events from Defender for Identity services to Microsoft 365 Defender. Organizations should expect no delays in Defender for Identity data appearing in Microsoft 365 Defender, such as alerts or activities for advanced hunting.
Defender for Identity release 2.214 and 2.215
These versions include improvements and bug fixes for cloud services and the Defender for Identity sensor.