Microsoft Defender for Identity frequently asked questions

Defender for Identity detects known malicious attacks and techniques, security issues, and risks against your network. For the full list of Defender for Identity detections, see Defender for Identity Security Alerts.

Defender for Identity collects and stores information from your configured servers (domain controllers, member servers, etc.) in a database specific to the service for administration, tracking, and reporting purposes. Information collected includes network traffic to and from domain controllers (such as Kerberos authentication, NTLM authentication, DNS queries), security logs (such as Windows security events), Active Directory information (structure, subnets, sites), and entity information (such as names, email addresses, and phone numbers).

Microsoft uses this data to:

• Proactively identify indicators of attack (IOAs) in your organization
• Generate alerts if a possible attack was detected
• Provide your security operations with a view into entities related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.

Microsoft does not mine your data for advertising or for any other purpose other than providing you the service.

Defender for Identity currently supports adding up to 30 different Directory Service credentials to support Active Directory environments with untrusted forests. If you require more accounts, open a support ticket.

In addition to analyzing Active Directory traffic using deep packet inspection technology, Defender for Identity also collects relevant Windows Events from your domain controller and creates entity profiles based on information from Active Directory Domain Services. Defender for Identity also supports receiving RADIUS accounting of VPN logs from various vendors (Microsoft, Cisco, F5, and Checkpoint).

No. Defender for Identity monitors all devices in the network performing authentication and authorization requests against Active Directory, including non-Windows and mobile devices.

Yes. Since computer accounts (as well as any other entities) can be used to perform malicious activities, Defender for Identity monitors all computer accounts behavior and all other entities in the environment.

ATA is a standalone on-premises solution with multiple components, such as the ATA Center that requires dedicated hardware on-premises.

Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals. The solution is highly scalable and is frequently updated.

The final release of ATA is generally available. ATA ended Mainstream Support on January 12, 2021. Extended Support will continue until January 2026. For more information, read our blog.

In contrast to the ATA sensor, the Defender for Identity sensor also uses data sources such as Event Tracing for Windows (ETW) enabling Defender for Identity to deliver additional detections.

Defender for Identity's frequent updates include the following features and capabilities:

• Support for multi-forest environments: Provides organizations visibility across AD forests.

• Microsoft Secure Score posture assessments: Identifies common misconfigurations and exploitable components, as well as, providing remediation paths to reduce the attack surface.

• UEBA capabilities: Insights into individual user risk through user investigation priority scoring. The score can assist SecOps in their investigations and help analysts understand unusual activities for the user and the organization.

• Native integrations: Integrates with Microsoft Defender for Cloud Apps and Azure AD Identity Protection to provide a hybrid view of what's taking place in both on-premises and hybrid environments.

• Contributes to Microsoft 365 Defender: Contributes alert and threat data to Microsoft 365 Defender. Microsoft 365 Defender leverages the Microsoft 365 security portfolio (identities, endpoints, data, and applications) to automatically analyze cross-domain threat data, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity, defenders can focus on critical threats and hunt for sophisticated breaches, trusting that Microsoft 365 Defender's powerful automation stops attacks anywhere in the kill chain and returns the organization to a secure state.

Defender for Identity is available as part of Enterprise Mobility + Security 5 suite (EMS E5), and as a standalone license. You can acquire a license directly from the Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model.

For information about Defender for Identity licensing requirements, see Defender for Identity licensing guidance.

Yes, your data is isolated through access authentication and logical segregation based on customer identifiers. Each customer can only access data collected from their own organization and generic data that Microsoft provides.

No. When your Defender for Identity instance is created, it is stored automatically in the Azure region closest to the geographical location of your Azure Active Directory tenant. Once your Defender for Identity instance is created, Defender for Identity data cannot be moved to a different region.

Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activity:

• Tight access control to sensitive data
• Combinations of controls that greatly enhance independent detection of malicious activity
• Multiple levels of monitoring, logging, and reporting

In addition, Microsoft conducts background verification checks on certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customer's account or related information in the performance of their duties.

Every domain controller in the environment should be covered by a Defender for Identity sensor or standalone sensor. For more information, see Defender for Identity sensor sizing.

Network protocols with encrypted traffic (for example, AtSvc and WMI) are not decrypted, but are analyzed by the sensors.

Enabling Kerberos Armoring, also known as Flexible Authentication Secure Tunneling (FAST), is supported by Defender for Identity, with the exception of over-pass the hash detection, which does not work with Kerberos Armoring.

Most virtual domain controllers can be covered by the Defender for Identity sensor, to determine whether the Defender for Identity sensor is appropriate for your environment, see Defender for Identity Capacity Planning.

If a virtual domain controller can't be covered by the Defender for Identity sensor, you can have either a virtual or physical Defender for Identity standalone sensor as described in Configure port mirroring. The easiest way is to have a virtual Defender for Identity standalone sensor on every host where a virtual domain controller exists. If your virtual domain controllers move between hosts, you need to perform one of the following steps:

• When the virtual domain controller moves to another host, preconfigure the Defender for Identity standalone sensor in that host to receive the traffic from the recently moved virtual domain controller.
• Make sure that you affiliate the virtual Defender for Identity standalone sensor with the virtual domain controller so that if it is moved, the Defender for Identity standalone sensor moves with it.
• There are some virtual switches that can send traffic between hosts.

For your domain controllers to communicate with the cloud service, you must open: *.atp.azure.com port 443 in your firewall/proxy. For instructions on how to do this, see Configure your proxy or firewall to enable communication with Defender for Identity sensors.

Yes, you can use the Defender for Identity sensor to monitor domain controllers that are in any IaaS solution.

Defender for Identity supports multi-domain environments and multiple forests. For more information and trust requirements, see Multi-forest support.

Yes, you can view the overall health of the deployment as well as specific issues related to configuration, connectivity etc., and you are alerted as they occur with Defender for Identity health alerts.

The Microsoft Defender for Identity team recommends that all customers use the Npcap driver instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package will install Npcap 1.0 OEM instead of the WinPcap 4.1.3 drivers.

WinPcap is no longer supported and since it's no longer being developed, the driver cannot be optimized any longer for the Defender for Identity sensor. Additionally, if there is an issue in the future with the WinPcap driver, there are no options for a fix.

Npcap is supported, while WinPcap is no longer a supported product.

The recommended and officially supported version of Npcap is version 1.0. You can install a newer version of Npcap, but note that for troubleshooting, support will ask you to downgrade the Npcap version to validate that the issue is not related to the newer version installed.

No, Npcap has an exemption to the usual limit of 5 installs. You can install it on unlimited systems where it is only used with the Defender for Identity sensor.

See the Npcap license agreement here, and search for Microsoft Defender for Identity.

No, only the Microsoft Defender for Identity sensor supports Npcap version 1.00.

No, you don't need to purchase the OEM version. Download the sensor installation package version 2.156 and above from the Defender for Identity console, which includes the OEM version of Npcap.

• You can obtain the Npcap executables by downloading the latest deployment package of the Defender for Identity sensor.

• If you haven't yet installed the sensor:

  1. Install the sensor (with an installation package of version 2.184 or greater).

• If you already installed the sensor with WinPcap and need to update to use Npcap:

  1. Uninstall the sensor.
     • Either using Add/Remove programs in the control panel (appwiz.cpl), or by running the following uninstall command:
       ".\Azure ATP Sensor Setup.exe" /uninstall /quiet
  2. Uninstall WinPcap.
     • Note: This is applicable only if WinPcap was manually installed prior to the sensor installation. In this case you would need to manually remove WinPcap.
  3. Reinstall the sensor (with an installation package of version 2.184 or greater).

• If you want to manually install Npcap:

  1. Install Npcap with the following options:
  • If using the GUI installer, deselect the loopback support and select WinPcap mode. Make sure the option Restrict Npcap driver's access to Administrators only is deselected.
  • If using the command line: npcap-1.00-oem.exe /loopback_support=no /winpcap_mode=yes /admin_only=no /S

• If you want to manually upgrade Npcap:

  1. Stop the Defender for Identity sensor services (AATPSensorUpdater and AATPSensor)
     Stop-Service -Name AATPSensorUpdater -Force; Stop-Service -Name AATPSensor -Force
  2. Remove Npcap using Add/Remove programs in the control panel (appwiz.cpl)
  3. Install Npcap with the following options:
     • If using the GUI installer, deselect the loopback support and select WinPcap mode. Make sure the option Restrict Npcap driver's access to Administrators only is deselected.
     • If using the command line: npcap-1.00-oem.exe /loopback_support=no /winpcap_mode=yes /admin_only=no /S
  4. Start the Defender for Identity sensor services (AATPSensorUpdater and AATPSensor)
     Start-Service -Name AATPSensorUpdater; Start-Service -Name AATPSensor

Defender for Identity can be configured to send a Syslog alert, to any SIEM server using the CEF format, for health alerts and when a security alert is detected. See the SIEM log reference for more information .

This happens when an account is a member of groups that are designated as sensitive (for example: "Domain Admins").

To understand why an account is sensitive you can review its group membership to understand which sensitive groups it belongs to (the group that it belongs to can also be sensitive due to another group, so the same process should be performed until you locate the highest level sensitive group). You can also manually tag accounts as sensitive.

With Defender for Identity, there is no need to create rules, thresholds, or baselines and then fine-tune. Defender for Identity analyzes the behaviors among users, devices, and resources, as well as their relationship to one another, and can detect suspicious activity and known attacks quickly. Three weeks after deployment, Defender for Identity starts to detect behavioral suspicious activities. On the other hand, Defender for Identity will start detecting known malicious attacks and security issues immediately after deployment.

Defender for Identity generates traffic from domain controllers to computers in the organization in one of three scenarios:

1. Network Name resolution Defender for Identity captures traffic and events, learning and profiling users and computer activities in the network. To learn and profile activities according to computers in the organization, Defender for Identity needs to resolve IPs to computer accounts. To resolve IPs to computer names Defender for Identity sensors request the IP address for the computer name behind the IP address.

   Requests are made using one of four methods:

   • NTLM over RPC (TCP Port 135)
   • NetBIOS (UDP port 137)
   • RDP (TCP port 3389)
   • Query the DNS server using reverse DNS lookup of the IP address (UDP 53)

   After getting the computer name, Defender for Identity sensors cross check the details in Active Directory to see if there is a correlated computer object with the same computer name. If a match is found, an association is made between the IP address and the matched computer object.

2. Lateral Movement Path (LMP) To build potential LMPs to sensitive users, Defender for Identity requires information about the local administrators on computers. In this scenario, the Defender for Identity sensor uses SAM-R (TCP 445) to query the IP address identified in the network traffic, in order to determine the local administrators of the computer. To learn more about Defender for Identity and SAM-R, See Configure SAM-R required permissions.

3. Querying Active Directory using LDAP for entity data Defender for Identity sensors query the domain controller from the domain where the entity belongs. It can be the same sensor, or another domain controller from that domain.

Defender for Identity captures activities over many different protocols. In some cases, Defender for Identity doesn't receive the data of the source user in the traffic. Defender for Identity attempts to correlate the session of the user to the activity, and when the attempt is successful, the source user of the activity is displayed. When user correlation attempts fail, only the source computer is displayed.

Look at the most recent error in the current error log (Where Defender for Identity is installed under the "Logs" folder).

See Also

• Defender for Identity prerequisites
• Defender for Identity capacity planning
• Configure event collection
• Configuring Windows event forwarding
• Troubleshooting
• Check out the Defender for Identity forum!