Which Microsoft 365 Defender solution can detect an Active Directory domain compromise?
You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of confidential files. Show
Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution. A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection
classification labels and content inspection warnings from this tenant. A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant. Microsoft Defender for Identity is a cloud-based security solution that can identify attack signals in Active Directory. The solution leverages traffic analytics and user behavior analytics on domain controllers and AD FS servers to prevent attacks by providing security posture assessments. Additionally, it helps expose vulnerabilities and lateral movement exploitation paths.
Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com. Contents
Microsoft Defender for Identity has its roots in Azure, as well as in the former Advanced Threat Protection (Azure ATP). Therefore, organizations do not have to house the security solution on-premises aside from the sensor installed on the domain controllers. It is helpful to provide clear steps to resolve misconfigurations. Microsoft Defender for Identity helps boost cybersecurity posture in the following four security pillars:
Microsoft Defender for Identity security pillars One of the benefits of this cloud service is lifecycle management, and security intelligence is handled automatically by Microsoft. Microsoft Defender for Identity is updated weekly with the latest security intel, alerts, and security assessments. The solution is also evolving in its capabilities and protected platforms. For example, Microsoft has extended the platform to include Active Directory Domain Services (AD DS) and Active Directory Federation Services (AD FS). Now, organizations can deploy sensors to analyze threat signals related to their AD FS environments. How does it fit in with other Microsoft cloud-driven products and solutions? Microsoft Defender for Identity is not an "end all be all" solution. However, it fits nicely with the layered approach, including:
Layered security approach including Microsoft Defender for Identity Microsoft Defender for Identity architecture ^The Microsoft Defender for Identity architecture comprises the following:
Microsoft Defender for Identity architecture Sensor requirements ^You can think of the sensor as the Microsoft Defender for Identity "agent." The requirements for it include the following:
Specific capabilities of Microsoft Defender for Identity ^What specific capabilities are provided by Microsoft Defender for Identity and integration with Microsoft 365 Security? Note the features below for detecting compromise and preventing lateral movement. Reconnaissance
Credential access
Lateral movement
Persistence
Below is a screenshot of the user and IP address reconnaissance dashboard in Microsoft Defender for Identity: User and IP address reconnaissance screen in Microsoft Defender for Identity courtesy of Microsoft Proactive actioning of threat signals ^Alerting and information about a potential attack are great. However, can Microsoft Defender for Identity proactively contain attacks? Yes, it can. Note the following containment actions provided by Microsoft Defender for Identity:
Licensing ^Defender for Identity is available as part of Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft F5 Security & Compliance, and Microsoft Defender for Identity for Users. You can acquire a license directly from the Microsoft 365 portal or through the CSP program. Wrapping up ^As more attacks target Microsoft Active Directory and user credentials, protecting your Active Directory is crucial to the overall security posture of your organization. Subscribe to 4sysops newsletter!Microsoft Defender for Identity provides an interesting security solution for AD DS and AD FS that allows businesses to leverage Microsoft security intelligence to spot potential threats in the environment quickly and contain them.
Articles in series Microsoft Defender
Which two Microsoft cloud services can you integrate with the Microsoft Defender for identity implementation?Native integrations: Integrates with Microsoft Defender for Cloud Apps and Azure AD Identity Protection to provide a hybrid view of what's taking place in both on-premises and hybrid environments.
What is the difference between Defender ATP and azure ATP?While Azure ATP monitors the traffic on your domain controllers, Windows Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment.”
What is Microsoft Defender XDR?Microsoft 365 Defender is an eXtended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities.
What are the four categories of reporting found in the Microsoft 365 Defender Portal?For more information, see Permissions in the Microsoft 365 Defender portal.. Organization Management.. Security Administrator.. Security Reader.. Global Reader.. |