What is Microsoft Defender for Identity?
Microsoft Defender for Identity, also known as MDI, is a cloud-based solution from Microsoft designed to protect an organization’s Active Directory environment. Previously, Microsoft Defender for Identity was known as Azure Advanced Threat Protection and was commonly referred to as Azure ATP.
MDI leverages on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at an organization
Why MDI !!
It helps enable SecOps analysts and security professionals to detect advanced attacks in hybrid environments to be able to:
- Monitor users, entity behaviour, and activities with learning-based analytics
- Protect user identities and credentials stored in Active Directory
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
- Provide clear incident information on a simple timeline for fast triage
MDI Integration with other services:
- Defender for Identity integrates into Microsoft 365 Defender
- Defender for Identity integrates into Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
- Microsoft Sentinel has a data connector available for Defender for Identity.
Onboarding Defender for Identity
Prerequisites
- Licensing : EMS E5/A5/G5, M365 E5/A5/G5
- This is a cloud service that works against on-premises Active Directory services or Multi-forest and multi-domain support
- The MDI sensor requires a service account to run, and the recommendation is to use a group-managed service account, also known as a gMSA.
- Audit & Windows Event logging enabled
Steps:
- Go to https://portal.atp.azure.com
- Create the MDI service account in Active Directory (Script below)
- Input the service account information into the MDI portal
- Download the MDI sensor installation files and copy the access key
- Deploy to all Domain Controllers and/or AD FS servers
gMSA:
Alerts & Monitoring:
- Defender for Identity provides reconnaissance alerts, helping identify unusual directory enumeration.
- Defender for Identity provides for compromised credential alerts, helping identify account compromise and threats attempting to gain credentials.
- Defender for Identity provides for lateral movement detection, alerting on common mechanisms.
- Defender for Identity provides for domain dominance detection, which provides insight into malicious actors have gained privileged access to Active Directory.
- Defender for Identity provides for exfiltration detection, which provides insight into malicious actors attempting to exfiltrate data from domain controllers or compromise DNS.
PS Script for creating gMSA and enable access (reboot system in case of error & rerun):
# Set the variables:
#Name of the account - to be cretaed
$gMSA_AccountName = 'mdiSvc01'
#group that will be created for the account created in above step
#Can be any name
$gMSA_HostsGroupName = 'mdiSvc01'
$Identity = 'arnavsharmamdiSvc01'
#name of the domain controller - the target
$gMSA_HostNames = 'WIN-TE2RL78F23R'
# Declare the *user* or *group* that needs to have read access to the deleted objects container
# Note that if the identity you want to grant the permissions to is a Group Managed Service Account (gMSA),
# you need first to create a security group, add the gMSA as a member and list that group as the identity below
# Import the required PowerShell module:
Import-Module ActiveDirectory
#Add a root key
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
#10 hours - back date
Start-Sleep -Seconds 10
# Create the group and add the members
$gMSA_HostsGroup = New-ADGroup -Name $gMSA_HostsGroupName -GroupScope Global -PassThru
$gMSA_HostNames | ForEach-Object { Get-ADComputer -Identity $_ } | ForEach-Object { Add-ADGroupMember -Identity $gMSA_HostsGroupName -Members $_ }
# Or, use the built-in 'Domain Controllers' group if the environment is a single forest, and will contain only domain controller sensors
# $gMSA_HostsGroup = Get-ADGroup -Identity 'Domain Controllers'
# Create the gMSA:
New-ADServiceAccount -Name $gMSA_AccountName -DNSHostName "$gMSA_AccountName.$env:USERDNSDOMAIN" -PrincipalsAllowedToRetrieveManagedPassword $gMSA_HostsGroupName
Start-Sleep -Seconds 10
# Install the gMSA account
#Install-ADServiceAccount -Identity $gMSA_AccountName
# Get the deleted objects container's distinguished name:
$distinguishedName = ([adsi]'').distinguishedName.Value
$deletedObjectsDN = 'CN=Deleted Objects,{0}' -f $distinguishedName
# Take ownership on the deleted objects container:
$params = @("$deletedObjectsDN", '/takeOwnership')
C:WindowsSystem32dsacls.exe $params
# Grant the 'List Contents' and 'Read Property' permissions to the user or group:
$params = @("$deletedObjectsDN", '/G', "$($Identity):LCRP")
C:WindowsSystem32dsacls.exe $params
Start-Sleep -Seconds 10
# Install the gMSA account
Install-ADServiceAccount -Identity $gMSA_AccountName
Start-Sleep -Seconds 10
Test-ADServiceAccount -Identity $gMSA_AccountName
FAQ
Q: What is Microsoft Defender for Identity?
A: Microsoft Defender for Identity, formerly known as Azure Advanced Threat Protection (ATP), is a cloud-based security solution that uses various data sources to monitor user activities and detects security threats on the network in near-real-time to safeguard identities in the cloud and on-premises.
Q: What type of threats can Microsoft Defender for Identity detect?
A: Microsoft Defender for Identity monitors and detects several types of advanced attacks, including MITRE ATT&CK techniques, unauthorized access, privilege escalation, Azure Active Directory (AD) attribute manipulation, and more.
Q: Is Microsoft Defender for Identity a part of Microsoft 365?
A: Yes, Microsoft Defender for Identity is a part of the Microsoft 365 Defender suite of products.
Q: What is the role of Microsoft Defender for Endpoint in Microsoft Defender for Identity?
A: Microsoft Defender for Endpoint works with Microsoft Defender for Identity by providing endpoint protection, enabling organizations to identify and mitigate attacks across endpoints, including Windows, macOS, and Linux devices.
Q: What is the Defender for Identity sensor, and do I need to install it?
A: The Defender for Identity sensor is a lightweight software component that provides visibility into activities that occur on your network. You need to install the sensor on a domain-joined device in your network to use Microsoft Defender for Identity.
Q: How do I configure Microsoft Defender for Identity after installation?
A: To configure Microsoft Defender for Identity, you need to connect the sensor to the Microsoft Defender for Identity cloud service and configure the security updates, technical support, and identity protection settings according to your organization’s requirements.
Q: How does Microsoft Defender for Identity help protect my organization’s identity security posture?
A: Microsoft Defender for Identity helps enhance your organization’s identity security posture by providing continuous monitoring, advanced analytics, security alerts, and recommendations to improve your security posture. It also enables you to analyze and investigate threats and alerts related to identity.
Q: What kind of data does Microsoft Defender for Identity monitor and collect?
A: Microsoft Defender for Identity monitors and collects data related to network activities, Active Directory, cloud apps, authentication events, and other identity-related data to detect and mitigate threats.
Q: How does Microsoft Defender for Identity integrate with Microsoft 365 Defender portal?
A: Microsoft Defender for Identity integrates with the Microsoft 365 Defender portal, providing a unified experience to manage and investigate threats across various Defender solutions.
Q: What are the next steps after using Microsoft Defender for Identity?
A: After deploying Microsoft Defender for Identity, the next steps include setting up and configuring alerts for identity protection, investigating suspicious activities, analyzing threat data, improving the security posture, and reviewing additional resources such as Microsoft Learn.
keywords: defender for identity’s, defender for identity data, defender for identity is designed, use defender for identity, integration with microsoft