Safeguard Your Environment With Microsoft Defender for Identity

By Ashwin Venugopal -

 



Microsoft Defender for Identity

It is a cloud-based security solution that can leverage your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization while providing the following benefits:
  • Monitor users, entity behavior, and activities with learning-based analytics
  • Protect user identities and credentials stored in AD
  • Identify and investigate suspicious user activities as well as advanced attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for fast triage

Monitor & profile user behavior & activities

Microsoft Defender for Identity monitors as well as analyzes user activities and information across your network, like permissions and group membership while also identifying anomalies with adaptive built-in intelligence, giving you insights into the suspicious activities and events revealing the advanced threats, compromised users, and insider threats facing your organization. Its proprietary sensors can readily monitor organizational domain controllers, providing a comprehensive view for all user activities from every device. 

Protect user identities & reduce the attack surface

Microsoft Defender for Identity offers you precious insights on the identity configurations and suggests security-best practices. Its usual Lateral Movement Paths helps you to quickly understand exactly how much your attacker can move laterally inside your organization to compromise the sensitive accounts as well as assisting in preventing those risks in advance. The security reports provided also helps in identifying the users and devices that can be authenticated using clear-text passwords as well as grants additional insights to improve your organizational security posture and policies.

Identify suspicious activities & advanced attacks across the cyber-attack kill-chain 

Microsoft Defender for Identity has a wide range of detections across the kill-chain from reconnaissance through the compromised credentials to lateral movements and domain dominance. Brute force attacks are the most common ways to compromise your credentials in which an attacker attempts to authenticate with multiple passwords on different accounts until a correct password is found or by using one password in a large-scale password spray that works for at least one account. But, Microsoft Defender for Identity can detect this activity easily whenever it notices multiple authentication failures occurring using Kerberos, NTLM, or use of a password spray.

The next part is when an attacker attempts to move laterally in your environment, using pass-the-ticket. In this detection, a Kerberos ticket is being used on two (or more) different computers. 

Finally, the attackers may want to establish domain dominance which can be performed from any machine by creating a rogue domain controller using a replication process and if this occurs, the Microsoft Defender for Identity can trigger an alert when a machine in the network tries to register as a rogue domain controller. 

Although this is not the complete set of detections, but it shows the overall breadth of the detections Microsoft Defender for Identity covers.

Configure Microsoft Defender for Identity sensors

At a high level, the following steps are required to enable the Microsoft Defender for Identity:

  1. Create an instance for Microsoft Defender for Identity management portal.
  2. Specify an on-premises AD service account in the Microsoft Defender for Identity portal.
  3. Download and install the sensor package.
  4. Install the Microsoft Defender for Identity sensor on all domain controllers.
  5. Integrate your VPN solution (optional).
  6. Exclude the sensitive accounts you've listed during the design process.
  7. Configure the required permissions for the sensor to make SAM-R calls.
  8. Configure integration with Microsoft Cloud App security.
  9. Configure integration with Microsoft 365 Defender (optional).   

Installed directly on your domain controllers, the Microsoft Defender for Identity sensor accesses the event logs it requires directly from the event controller. It has the following core functionality:

  • Capture and inspect domain controller network traffic
  • Receive Windows events directly from the domain controllers
  • Receive RADIUS accounting information from your VPN provider
  • Retrieve data about users and computers from the Active Directory domain
  • Perform resolution of the network entities (users, groups, and computers)
  • Transfer relevant data to the Microsoft Defender for Identity cloud service








Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more