Protect your organization's identities using Microsoft Defender for Identity

  • 3 minutes

Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection, or Azure ATP) is a cloud-based security solution. It uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender for Identity enables security operation analysts and security professionals struggling to detect advanced attacks in hybrid environments to:

  • Monitor users, entity behavior, and activities with learning-based analytics.
  • Protect user identities and credentials stored in Active Directory.
  • Identify and investigate suspicious user activities and advanced attacks throughout the kill chain.
  • Provide clear incident information on a simple timeline for fast triage.

Monitor and profile user behavior and activities

Microsoft Defender for Identity monitors and analyzes user activities and information across your network. This analysis creates a behavioral baseline for each user. Defender for Identity then uses these behavioral baselines to help identify user anomalies with adaptive built-in intelligence. This reporting provides organizations with insights into suspicious activities and events. This information reveals the advanced threats, compromised users, and insider threats that organizations face.

Defender for Identity also includes proprietary sensors that monitor organizational domain controllers. This analysis provides a comprehensive view for all user activities from every device.

Protect user identities and reduce the attack surface

Defender for Identity provides organizations with invaluable insights on identity configurations and suggested security best-practices. Through security reports and user profile analytics, Defender for Identity helps dramatically reduce your organizational attack surface. This design makes it harder to compromise user credentials and advance an attack.

Defenders for Identity's visual Lateral Movement Paths help you quickly understand exactly how an attacker can move laterally inside your organization to compromise sensitive accounts. It also helps to prevent those risks in advance. Defender for Identity provides reports that identify users and devices that authenticate using clear-text passwords. They also provide extra insights to improve your organizational security posture and policies.

Active Directory Federation Services (AD FS) plays an important role in today's infrastructure when it comes to authentication in hybrid environments. Defender for Identity protects the AD FS in your environment by detecting on-premises attacks on the AD FS. It also provides visibility into authentication events generated by the AD FS.

Identify suspicious activities and advanced attacks across the cyber-attack kill-chain

Typically, attacks are launched against any accessible entity, such as a low-privileged user. These attacks quickly move laterally until the attacker gains access to valuable assets, such as sensitive accounts, domain administrators, and highly sensitive data. Defender for Identity identifies these advanced threats at the source throughout the entire cyber-attack kill chain:

  • Reconnaissance. Identifies rogue users and attackers' attempts to gain information. Attackers are searching for information about user names, users' group membership, IP addresses assigned to devices, resources, and more, using various methods.

  • Compromised credentials. Identifies attempts to compromise user credentials using brute force attacks, failed authentications, user group membership changes, and other methods.

  • Lateral movements. Detects attempts to move laterally inside the network to gain further control of sensitive users, using methods such as Pass the Ticket, Pass the Hash, Overpass the Hash and more.

  • Domain dominance. Highlights attacker behavior if domain dominance is achieved. Detection occurs using:

    • Remote code execution on the domain controller

    • Methods such as:

      • DC Shadow
      • malicious domain controller replication
      • Golden Ticket activities

Investigate alerts and user activities

Defender for Identity is designed to reduce general alert noise. It provides only relevant, important security alerts in a simple, real-time organizational attack timeline. The Defender for Identity attack timeline view allows you to easily stay focused on what matters by applying the intelligence of smart analytics. Organizations can use Defender for Identity to quickly investigate threats. By doing so, they can gain insights across the organization for users, devices, and network resources. Integration with Microsoft Defender for Endpoint provides another layer of enhanced security. This integration applies extra detection and protection against advanced persistent threats on the operating system.