Microsoft Defender for Identity

Overview

Microsoft Defender for Identity [formerly Azure Advanced Threat Protection (Azure ATP)] is a cloud-based security solution that allows, by monitoring the information generated by the Active Directory infrastructure and the organization’s network activities, to detect and investigate possible suspicious malicious activities.

Microsoft Defender for Identity, specifically, collects and stores, for example, the following information in “hybrid” environments:

  • Network traffic to and from the Domain Controllers
  • The Security Logs
  • The morphology of the Active Directory infrastructure

With the ultimate aim of:

  • Monitor and classify user behavior and activities through analysis based on Machine Learning
  • Defend Active Directory Federation Services (AD FS) in hybrid environments
  • Quickly provide clear information on possible “incidents”

Solution

The following image illustrates the Microsoft Defender for Identity architecture:

  1. Microsoft Defender for Identity Portal: allows you to monitor, manage and analyze threats
  2. Microsoft Defender for Identity sensor, which can be installed on s Domain Controller or on AD FS
  3. Microsoft Defender for Identity Cloud Service: It runs on the Microsoft Azure infrastructure and is connected to the Microsoft Intelligent Security Graph

Requirements

  • It can be purchased as a Standalone license or you must have one of the following licenses:
    • Microsoft Defender for Office 365 Plan 1
    • Microsoft Defender for Office 365 Plan 2
    • Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium
    • Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, Microsoft 365 E5 Security and Microsoft 365 E5
    • The “Safe Documents” feature is only available for users who have Microsoft 365 E5 or Microsoft 365 E5 Security licenses (not included in Microsoft Defender plans for Office 365)
  • Microsoft supports the installation of the Microsoft Defender for Identity sensor on Domain Controllers with one of the following operating systems on board: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (Windows Nano Server), Windows Server 2019 (NO Windows Nano Server
  • The Microsoft Defender for identity sensor requires at least 2 cores and 6 GB of RAM installed on the Domain Controller

Benefits

  • Proactively identify possible indicators of attack (IOA);
  • Protect user identities and credentials stored in Active Directory and reduce the attack surface;
  • Identify suspicious activities and advanced attacks through the Kill Chain