Hello and welcome to Microsoft defender for identity.

Microsoft defender for identity was originally called Azure advanced threat protection. It’s a security solution that takes advantage of on-prem active directory to identify, detect, and investigate things like threats and compromised identities. It also helps identify malicious insider attacks.

Microsoft Defender for Identity uses learning-based analytics to help you monitor user behavior and activities AND it allows you to protect Active Directory user identities and credentials.

You can also use Microsoft Defender for Identity to identify and investigate suspicious user activities and attacks throughout the kill chain AND to provide incident information that assists in triage.

Microsoft Defender for Identity looks at things like permissions and group membership, and then creates a behavioral baseline for each user in the organization. Using this information, and adaptive intelligence, Defender for Identity can then identify behavior anomalies, which in turn, provides insight into suspicious activities and events. This information then reveals the threats and compromised users that need to be addressed. This is all accomplished through proprietary Defender for Identity sensors that monitor the on-prem AD domain controllers.

As I previously mentioned, Defender for Identity allows you to protect your users’ identities as well. It does this by providing insights into identity configurations and security best-practices. The security reports in Defender for Identity, along with the user profile analytics that it offers, help reduce the attack surface in your organization, which, in turn, makes it harder for the bad guys to steal user credentials.

A feature in Defender for Identity, called Visual Lateral Movement Paths, can be used to understand how attackers can move laterally within the organization to compromise sensitive accounts. This feature helps prevent these types of threats. 

I should also mention that Defender for Identity also offers security reports that can be used to identify users and even devices that are using clear-text passwords, which, of course, is a big no-no. You can use this information to improve your security posture.

Defender for Identity even helps protects ADFS in hybrid environments by detecting on-prem attacks on the ADFS itself.

Because malicious attacks usually target low-privileged users, before using those accounts to move laterally to gain access to more sensitive accounts, and highly sensitive data, Defender for Identity can be used to identify these types of threats at the source, throughout the entire attack kill chain.

For example, Defender for Identity performs reconnaissance to identify rogue users and attempts to gain illegitimate access to information. It can also identify attempts to compromise user credentials, through things like brute force attacks, failed authentications, and other methods. Defender for Identity’s ability to detect lateral movements inside the network identifies situations where someone is using methods like Pass the Ticket, Pass the Hash, and Overpass the Hash to try and gain control of sensitive user accounts. Defender for Identity can even identify if Domain Dominance has been achieved by an attacker.

Ultimately, Defender for Identity is designed to provide relevant security alerts in a real-time organizational attack timeline, while filtering out unwanted “alert noise”, through the use of intelligence and smart analytics. It can be used to identity and investigate threats, and to gain insight into users, devices, and network resources.  

I should also mention that Defender for Identity seamlessly integrates with Microsoft Defender for Endpoint. This integration provides a layer of device security through detection of, and protection against, threats to the operating system.