Event banner
Event details
94 Comments
Hi sorry i will not be attend, I would really keen to understand
- what is the ETA to fully move everything to security.microsoft.com?
- Is there a plan to:
- alert on misconfiguration on the permissions of AD objects. Think domain user can modify a GPO that can make changes to a domain controller type, issues
- alert on someone taking advantage of such a misconfiguration
- Any plans to produce a single view of health issues in the MDI setup
- showing health status over time, not just alerts
- recommending things like:
- domain controller X the sensor has gone into bypass 10 in 30 days due to not enough memory. suggest you add memory
- What are the next detects we can expect to come.
- ie which are the areas in lateral movement used by attacker which MDI has poor or zero coverage of
Nice to see you here as well James 🙂
While some of legacy Defender of Identity features will not be converged (where there are features that have been superseded by functionality in Microsoft 365 Defender), the security.microsoft.com portal is now the main portal for Defender for Identity.
We are working with the Microsoft Secure Score team on having alert capabilities through that experience, not just for Defender for Identity security recommendations.
While health issues are part of Defender for Identity settings already, we are working on a new health view for all issues.
For the detection part – as you might have guessed, detections are something we always look into. Whether it’s improving existing detections or creating new ones. For the new detection part, we are challenging ourselves to look outside of just the Active Directory world by introducing detections on AD CS, ADConnect, Azure Active Directory and even external identity providers such as Okta. Obviously ‘classic Active Directory detections’ are still our top of mind with any new vulnerability or CVE that might affect Active directory.
- I certainly agree on this post......
- Is there any plans to add a real "VPN connection" activity type which will correlate with data from MDCA or so ?
- Martin_Schvartzman
Microsoft
Any VPN system that supports radius accounting can forward its events to the MDI sensor, and we will use that information to correlate the events. As described in https://docs.microsoft.com/en-us/defender-for-identity/install-step6-vpn If this doesn’t answer your question, please elaborate further.
- Looking forward to getting an update of where we are today and a roadmap of where we are heading, What are the top 3 risks that we need to address today, where are are the risks coming from Internal\External, what are the mitigation strategies for the beginners\experienced security experts.
- YaronParyantyIn the last 12 months, identity-targeted attacks, and specifically attempting to take full control of Active Directory, is on the increase. For example, in the last 3 months there were 4 or 5 different weaponized vulnerabilities exposed that aimed to provide attackers will full control over Active Directory. Just to name a few – we have had DnsHostName spoofing, KrbRelayUp, and the recent campaign we are working on DFSCoerce. If an attacker succeeds, Active Directory can be completely compromised. With the increase of attacks on Active Directory, we are expecting an increase of attacks on the entire identity infrastructure including AD, AAD and other IAM solutions and identity infrastructure solutions. Identifying attacks against AD, AAD and ADFS which synchronize between them is covered by Microsoft Defender for Identity (MDI), Microsoft AAD Identity Protection and AAD Conditional Access. We are also looking to expand this offering, including posture, detection, investigation and remediation, to other IAM solutions as well as identity infrastructure solutions. We are also witnessing a trend towards attacking Active Directory Certificate Services (AD CS). Either compromising specific certificates or take control of the entire certificate AD CS server. We will be happy to conduct a session in which we can share the full MDI roadmap. We’ll post to the MDI community when we schedule this session to take place.
- Will Defender for Identity have its own blade in the Defender portal like MCAS is now getting. Currently we can access it a bit in the main Defender for Endpoint portal via Settings>Identity so it's not as immediate to the user as other areas. The other way is the old MDI portal (https://portal.atp.azure.com) which lacks in features such as other portals currently.
Defender for Identity is now converged into the Microsoft 365 Defender experience, you can see the blog here All Microsoft Defender for Identity features now available in the Microsoft 365 Defender portal - Microsoft Tech Community we recommend using the security.microsoft.com portal as the main experience for Defender for identity.
- Recently I received an alert about "Account enumeration reconnaissance" with an unknown resource name. That enumeration was through NTLM against my DC, with destination to my Exchange Server. Besides, the resource has no information about IP, logged users, accessed resources, and so on. My question is: What should I start to block that kind of resource with no information in MDI?
- The application making the NTLM request can put in what it wants as the computer name. When MDI has access to event 8004 on the domain controller, it will add the resource that was being accessed to the Account Enumeration alert. Now you can look on the resource computer for event 4624 and 4625 to see the source IP address of the computer connecting to the resource. https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#account-enumeration-reconnaissance-external-id-2003 Make sure that the domain controllers are configured to record event 8004. https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#event-id-8004
- How does Microsoft see the competition in this space - and how is it different? Presumably Microsoft has a massive advantage in terms of the number of data points it can leverage across devices and systems!
- YaronParyantyMicrosoft Defender for Identity (MDI) is an integral part of Microsoft 365 Defender (M365D). Unlike other solutions in the market, MDI is meshed into M365D and not loosely integrated to it. This allows us to provide a holistic end-to-end experience that is greater than the sum of its parts. Signals and data from endpoints, applications, on-premises and cloud identities, Office 365 and much more are all streaming to the same data lake allowing M365D to perform smart and powerful correlation, reduce friction, save time and empowers the SOC team to work much more efficiently. It also provides unified experience across all different workloads including the threat hunting experience, investigation experience, remediation and so on. Detection of new vulnerabilities and attacks is a key element in MDI work. We are constantly looking for newly published threats as well as researching for tools and methods that weren’t disclosed yet to try and stay ahead of the attackers as much as possible. The MDI sensor is also optimized for enterprise environments, running with a low footprint on Active Directory and ADFS servers and contains self-healing and self-destruction mechanisms to protect overloading the underlying services that may be running on the server.
- What is the overlap with Defender for Identity and Sentinel log analytics? Do all logs need to be in the same region or in the same log analytics area for Defender to take advantage of logs, or does it operate outside of that?
In my opinion there is no overlap......those are 2 different products.......But you can utilize the raw data of MDI into Sentinel to correlate also other data sources with the raw data of MDI the second question i do not really understand.....but I think the answer is Yes 🙂
- YaronParyantyThe core of MDI is the powerful detection engine that is made possible by performing deep packet inspection and windows events collected from the domain control. Sentinel log analytics store events and provide users with tools to slice and dice the data and create queries. They are complementary solutions that can be used side by side for different purposes. You can stream the MDI alert information and evidence from M365D into Sentinel and you can use M365D Advanced Hunting to send additional data to Sentinel Log Analytics. It’s up for the customer to decide on which regions to use for each of the products.
- Other similar products like Cynet - offer some form of honeytrap - in that they emulate a fake network, making your business look like its many thousands of machines larger, so that they can detect attacks sooner. They also offer fake files around on production machines with enticing names like "Pay" and "Budget" - Does Microsoft have any similar capability or thoughts?
- We have honeytoken accounts! Any activity logged on to these accounts will trigger a specific honey token alert. Learn more about how to set it up here: https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts. Also, if you already have M365D you can learn more about it here https://security.microsoft.com/securescore?viewid=actions&actionId=AATP_HoneyToken
- How is alerting/contacting a business handled by the SOC team? If it was the middle of the night - and there was a detected ransomware attack - can a business expect to be emailed, phoned or sent text messages? Would the SOC team be able to start taking preemptive measures to defend against the attack even before an organizations IT team is aware of the issue?
- All Microsoft Defender for Identity alerts can be sent to any SIEM solution using syslog integration. Also, there are also alert notification options you can read more about them here: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-email-notifications?view=o365-worldwide
- Does Defender for Identity allow Microsoft to lock down (isolate) remote machines when an attack is underway?
Recently, Microsoft Defender for Identity announced remediation action it can take on users. Ultimately, with Microsoft 365 Defender, each product will provide it’s own, unique-set of remediation capabilities, Microsoft Defender for Office 365 allows you to move emails to certain folders, Microsoft Defender for Identity provide the capability for disabling a user and Microsoft Defender for Endpoint can isolate devices. All the remediation capabilities can be triggered from any signals - alerts, activities or custom detections, regardless of what was the product that was triggering them. Effectively – MDI signals can trigger any of the other defender actions. You can read more about it here: https://docs.microsoft.com/en-us/microsoft-365/security/defender/m365d-remediation-actions?view=o365-worldwide
