Microsoft Defender for Identity: Architecture and Key Capabilities

What is Microsoft Defender for Identity (Azure ATP)?

Microsoft Defender for Identity (previously called Azure Advanced Threat Protection or Azure ATP) is a Microsoft security solution that captures signals from Windows Active Directory deployed on-premise and Azure Active Directory (Azure AD) in the cloud. It processes these signals and uses them to detect, investigate, and respond to threats, including malicious insiders and compromised accounts.

Defender for Identity can help you detect identity-based attacks in a hybrid environment by:

• Monitoring behavior and activities of users and other entities

• Analyzing activity and identifying anomalies using advanced analytics based on machine learning

• Identifying and enabling investigation of identity-related attacks

• Visualizing the kill chain and attack timeline to help triage and rapidly respond to incidents

Learn more about the Microsoft 365 Defender suite, which includes Defender for Identity and other tools, such as Defender for Endpoint.

Microsoft Defender for Identity Architecture

Microsoft Defender for Identity parses network traffic and obtains Active Directory entities and Windows events directly from domain controllers. It uses multiple approaches, including profiling, static rules, machine learning, and behavioral methods, to detect and alert about suspected security incidents.

Defender for Identity architecture is illustrated in the following diagram.

Defender for Identity consists of the following components:

• Defender for Identity portal—lets you create a Defender for Identity instance, displays data obtained from sensors, shows alerts, and enables investigation of identity-related threats.

• Defender for Identity sensor—can be directly installed on domain controllers, to directly monitor controller traffic with no special configuration, or on Active Directory Federation Services (AD FS), to monitor traffic and authentication events.

• Defender for Identity cloud service—runs in the Azure cloud, constantly updated with data from Microsoft Intelligent Security Graph.

• Syslog integration—Microsoft Defender for Identity can receive data from a Syslog server through a sensor, and notify when it detects suspicious activity.

Using Microsoft Defender for Identity

Create the Microsoft Defender for Identity Instance

To start using the solution, you must create a Defender for Identity instance for your organization. Here is how to do this:

1. Access the Defender for Identity portal— sign in using an AD user account or a group-managed service account.

2. Create an instance—request to create a Defender for Identity instance. It uses the fully-qualified domain name of your Azure AD tenant to create an instance in the data center nearest to your Azure AD.

3. Install sensor software—in the portal you will find a link to download the sensor executable, together with an access key. Run the installation on your domain controller or AD FS server. Provide the access key to allow the software to connect back to your Defender for Identity instance.

4. Verify sensor status—in the portal, you will see your sensor’s status, version, and health. If the sensor is connected and healthy, you can start working with Defender for Identity.

Working with Alerts

Defender for Identity provides easy-to-use visualizations of suspicious activity on the network. Alerts show the entities involved in a threat and are color coded according to attack phases. Every security alert includes:

• A title and description of the threat.

• Threat category, including compromised credentials, reconnaissance, lateral movement, exfiltration, and domain dominance.

• Evidence collected from the environment and ability to export for further analysis.

• Details including device name, username, and auto-investigation status.

• Hierarchical representation of processes, user accounts and machines related to the alert.

After you review an alert, you can classify it as “true positive” (a real threat), “benign true positive” (for example, activity from a penetration test), or “false positive”.

Network Name Resolution (NNR)

NNR lets you analyze and derive security insights from IP-based data. Defender for Identity captures IP data from network traffic, Windows events, and the event tracing for Windows (ETW) protocol. NNR correlates between IP addresses and the computers involved in specific activities, and generates alerts on suspicious events.

NNR lets you choose one of three primary methods to identify the machine behind an IP address: NTLM over RPC, NetBIOS, and RDP.

NNR data can help you detect threats like:

• Identity theft (pass-the-ticket)

• Domain Controller Sync (DCSync) attack

• DNS reconnaissance by attackers

The main benefit of NNR data is that it can improve the level of certainty in security alerts and distinguish false positives from true positives, because they provide computer naming as part of the evidence for the alert. This lets you investigate which device was the real source of a security event.

Microsoft Defender for Identity Reports

The reports section in the portal lets you schedule regular reports or download reports at any time. Reports can provide information about system health, identity-related security alerts, and lateral movement in your environment.

Defender for identity provides the following built-in reports:

• Summary report—dashboard of current status of identity threats.

• Modification of sensitive groups—provides details about every change to a sensitive identity group, such as an administrators group.

• Passwords exposed in cleartext—shows credentials stored or sent in unencrypted form.

• Lateral movement paths to sensitive accounts—lists accounts currently exposed to lateral movement by attackers due to identity compromise.