One of the most exciting parts of being a security technical specialist is the opportunities to face and solve different challenges with our customers. I enjoy diving into research mode and finding the best solutions for their security needs.
This month, we had a customer security session where we encountered a blocker that required some investigation and collaboration, the other thing i love about my role is the access to security knowledge and expertise within the Microsoft network, people who are ready to jump in and share and suggest alternative ways I could tackle my blocker.
In this blog post, I wanted to share one of my demo discoveries that I hope you find useful and informative when using Microsoft Defender.
One of my focus solutions is the defender suite which is a set of enterprise security products and services that provide comprehensive protection against sophisticated cyberattacks.
The defender suite includes:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Identity,
- Microsoft Defender for Cloud Apps
Today I am going to mainly focus on the Microsoft Defender for Identity (previously referred to as the Azure Advanced Threat Protection) which is a cloud-based security solution that helps you protect your on-premises identities from advanced threats and malicious insiders. It monitors and analyzes user activities and behaviors in your network, detects anomalies and suspicious events, and provides you with tools to investigate and respond to incidents.
MDI was usually seen as a monitoring tool but that has changed since March, a new set of capabilities have been added that gives MDI the ability to set remediation actions in response to a compromised identity.
How does it work :
- A sensor installed on each domain controller in your environment. The sensor collects and analyzes data from Active Directory and sends it to the cloud service.
- A gMSA (group Managed Service Account) configured for the sensor. The gMSA allows the sensor to impersonate a domain account with the necessary permissions to perform remediation actions on user accounts.
- The remediation permissions granted to the gMSA account. You can use the built-in role “Defender for Identity Remediation” or create a custom role with the required permissions.
Once you have these prerequisites, you can perform remediation actions on user accounts from various pages in the Microsoft Defender for Identity portal, such as:
- The user page: You can view the details of a user account, such as its activities, alerts, and lateral movement paths. You can also disable or change the password of the user account from this page.
- The advanced hunting page: You can run custom queries to find user accounts that match certain criteria, such as suspicious logins, password changes, or group memberships. You can also disable or change the password of the user accounts from this page and too add some automated function you could create a detection rule from the query to trigger the remediation action, you can see how from the video below.
- The action center: You can view the history of all remediation actions performed by you or other users in your organization. You can also undo or redo any remediation action from this page.
With this feature release, Microsoft’s XDR experience just become even more powerful. Security teams can now manage all their identities in Microsoft 365 Defender and link them to detections from other workloads (such as endpoint, Office 365 and cloud apps). This enables faster and more effective threat identification and response.
Microsoft security is always evolving and improving, so there is never a dull moment and one of the most rewarding is the opportunity to explore and learn about the various features and configurations, every day, I encounter new scenarios and challenges that I decided to document share.
The views and opinions expressed in this blog are my own