Ninja Cat Giveaway: Episode 10 | Identity Threat Detection and Response


For this episode, your opportunity to win a plush ninja cat is the following –

Our season finishes here! After learning about this last topic, tell us your thoughts on the Microsoft 365 Defender approach to ITDR.


This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14th, 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.

12 Replies
Thank you, Heike, your team, and all speakers for the amazing Ninja training! Looking forward to the next season!
Thank you for the session! What I particularly love is recognizing that ITDR is a team sport. Generally speaking, I have seen lots of fragmentation, where one team has no idea what the other one is doing. Especially where there are tools or services that are used within one team in the company, and broadly speaking IT would have no idea about it. Seeing lots of different apps and identity providers listed in the demo was great.
Teaming up and sharing relevant information - that is a real force multiplier and enables everyone to be more effective!

@Heike Ritter I Really like the ITDR. Its nice to have a place to look at all the logins, the risk score, and why they scored high. If you do spot a true positive risk for a user you need to be able to quickly disable their AD account and you can do it within a few clicks, it really makes the ITDR portal of great value. Thanks for the great info!

Hey@Heike Ritter 
The ITDR module is one of the important components when it comes to M365D, the ITDR helps us to prioritize things, add more context and gives us a timeline of the things. Whenever an incident occurs, the first thing anyone would be checking is:
"What is happening?"
"Who is the user associated?"
"What are the devices associated?"
and able to answer them all via the ITDR portal is so helpful.
Corelating many alerts, automating them and finally combining them to an incident and giving them a risk level score is one of the components I like, and this helps analysts when it comes to Proactive hunting.


Also @Heike Ritter and team, loved all the episodes, Keep'em coming. Looking forward.
Praveen A 

Great episode and a lot of food for thought. I love the unified approach of Defender's ITDR, combining information from all of the Defender components to provide extended detection and response across domains. It makes my job much easier!

I want to reach out and express my gratitude for the Virtual Ninja Training. The shared insights and expertise in the different area's of Microsoft products have been incredibly valuable to me and I'm sure to many others who watched the training.


I believe that the Microsoft 365 Defender approach to ITDR is comprehensive and proactive, providing organizations with the tools they need to protect against a range of identity-related attacks. The solution's focus on identity protection is especially critical given the increasing prevalence of identity theft and fraud in today's digital landscape. 

best response confirmed by MSTechie (Microsoft)
My favourite quote of the session was "securing identities is a team sport", I love how Microsoft is encouraging organisations to ensure the identity team and SOC team work together as one to protect their environments better and protect identities where ever the are and providing protection across different identity providers.
Great show, cannot wait for Season 4!

In terms of M365 Defender approach to ITDR:
The whole defender 365 solution in terms of identity investigation is evolving so fast that it only makes me smile. (Talking from the SOC Operative perspective).
Although I have noticed that sometimes the metrics, such as “Investigation Priority” is not accurate and seems like guessing game, as for some users “High Priority” is not justified, as from the investigation no abnormal behaviour was noticed.
Apart from that, great feature :)

Another feature that “bring joy” are the merge of response actions that blue teamers can do from the identity tab in Defender.
Marking the user as Compromised instead of rushing to the Identity Protection - Cool!
Forcing User Password Reset instead of rushing to AAD - Cool!
Disabling user account and banishing them to shadow realm - Super Cool! :D

Waiting for new stuff to come!
I find it great that all the information about a user is summarized in a managemen console. All the indentities in one console and with the Secure Score I can find exactly the candidates that I need to look at more closely and here you can also dig deeper and have all the information together. My Security Engineer will it like so much

@Heike Ritter thank you and the Defender Tech Community team for the past season of the Ninja Cat Show! It has been a thrill to watch it.


My thoughts on the Defenders ITDR-approach from an operator standpoint are how simple it is to first set up for the whole organization and gain valuable insight into the identity risk brought by either a rogue user or stolen credentials. ITDR enriches the identity data in an abnormal situation involving any sort of identity, no matter if it's an actual user, shared mailbox, service account or anything else in cloud, on-prem or external. Risk scores are also a very nice way to display how the user is regurarly acting and if there is some big variance all of a sudden.

@Heike Ritter 


Microsoft 365 Defender approach to ITDR

ITDR :- It provides the amazing integration and automation between Identity providers (identity admin-covering MS & non-MS solution providers) and identity protection (SOC- analyst) 

It helps in solving the biggest problem in the identity space during attack eg. Along with taking right remediation with the Defender solution , there is detailed investigation on the attack can be done through SOC which provides the critical details of attack.

Microsoft has done a great job with ITDR in Defender. I have been using these tools to identify possible threats within our environment and with its tight integration with our IMS, it makes filtering out possible false positives easy so I can focus more on the alerts that need attention.