YouTube: Defender for Identity Demo Part 1

[LLMA-dot]

Link to YouTube Video: Microsoft Defender for Identity Part 1 - Offering, Architecture & Deployment

PowerPoint Slides

[LLMA-dot]

Notes for "Atul Raizada: Defender for Identity Part 1 - Offering, Architecture & Deployment"

Links:

• YouTube Video
• PPT Slides

Part 1 - Deployment

• Detect: Real time analytics (machine learning) and data intelligence
• Investigate: Use investigation priority
• Respond: Automatic response to compromised identities
• Prevent: Proactive Identity Security Assessment

For onPrem AD (but not only).

Cloud Product, Sensors installed on onPrem Servers.

Not a new product.

• Defender for Identity = Former Azure Advanced Threat Protection (ATP)
• Defender for Office 365 = Former Office 365 ATP

Service Offerings for Microsoft Defender for Identity (MDI)

"The key here, my friends, is real-time detection.""

• Detection based of learning network and anomolies
• Behavioral detections
• CVE based detections
• Tool and signature-based detection

Network Traffic Analysis: Inspect network traffic, NTLM, Kerberos, LDAP, RDP, DNS, SMB. Security Events and event tracing: Inspect events and event tracing, and profile AD entities. User behavior analytics: Profile users and entities behavior, identify behavior anomalies. Cloud-based real-time detections: Data enrichment and correlation in Azure for real-time detection.

Sensor could also be deployed on a stand-alone server which is much more work. Sensor does not add a lot of compute on DCs.

Should be integrated with Microsoft 365 Defender (hollistic view of your environment)

Requirements Licensing: Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365 E5 (M365 E5/A5/G5) or Microsoft 365 E5/A5/G5 Security.

Prerequisites for Deployment Plan Capacity for Microsoft Defender for Identity

The following detections will be shown in the demo!

GMSA Account = Group-managed Service Account

The video next shows the configuration & setup of the GMSA for MDI.

What are entitiy tags? Sensitive Accounts: You could specifically add your Domain Admins to this list. Honeytoken Accounts: Traps for malicious actors. Any authN associated with these accounts triggers an alert. Exchange Server: Self-explanatory.

Groups or Devices work too for these tags, not just accounts! Cool!

You can configure the Syslog Service to enable notications (for SIEM implementation)

[LLMA-dot]

Done!