Loading...

Identity Protection alerts now available in Microsoft 365 Defender

Identity Protection alerts now available in Microsoft 365 Defender

Azure Active Directory (Azure AD) Identity Protection alerts are now part of Microsoft 365 Defender.

 

Identity compromise is a pivotal component in any successful attack. By taking control over a legitimate organizational account, attackers gain the ability to move around the network, access organizational resources, and compromise more accounts.  With sufficient permissions in hand, attackers have the “keys to the kingdom” to finally achieve their objective – encrypting the entire network, exfiltrating emails or other confidential information, or any other malicious goals. Because of this, it is critical for defenders to have wide visibility into identity activities and gain assistance in spotting suspicious or abnormal activities. This helps defenders identify, investigate, and respond to identity compromise, stopping and evicting attackers from the network.

 

With the appearance of modern attackers like Nobelium, we have seen identity compromise scenarios taken to the next level - extending across the organization’s on-prem network and cloud environment.

 

With Nobelium, attackers infiltrated the on-prem network and managed to compromise accounts with permissions to the AD FS server, which serves as an “LSASS of the cloud” – enabling users of the organization to gain access to cloud resources and services. Once attackers gained control of the AD FS server, they were able to mint tokens for cloud access and reach into user’s mailboxes to read and exfiltrate content.  

 

Defenders must be able to monitor and protect identities of all kinds, across on-prem, in the cloud, and in-between.

Identity Protection is an important defense in your battle against identity compromise, bringing visibility and protection of Azure Active Directory identities.  

 

You might already be familiar with the Identity Protection experience in the Azure or Entra Portals. Until now, if you wanted a full understanding of the role of Azure AD identities in end-to-end attacks, you needed to traverse both the Azure portal and the Microsoft 365 Defender portal. Now, we are bringing the Identity Protection alerts into Microsoft 365 Defender. Identity Protection alerts are now correlated into related incidents along with alerts from the other security domains, and can be reviewed directly in Microsoft 365 Defender for a full view of the end-to-end attack. No need to switch portals! This helps drive efficiency and simplicity for security teams investigating incidents to understand the full scope of the attacker’s activity and take action in one place.

 

Idan_Pelleg_9-1666685411653.png

 

Example of an Azure AD Identity Protection alert within an incident

 

Azure Active Directory Identity Protection leverages trillions of signals to spot compromised identities. Identity Protection takes individual risk detections to compute a user’s overall likelihood of compromise, known as their user risk score. Identity Protection detects suspicious sign-in attempts by Azure AD accounts and uses additional signal to detect indicators of compromise offline. Some of these detections include unfamiliar sign-in properties, anomalous token, anonymous IP address, and leaked credentials. With Identity Protection, you not only gain insights into risky users, but have mechanisms to automatically mitigate and remediate risk.

To best leverage these Identity Protection signals and tune your environment to reduce false positive, we recommend you enable the risky user and risky sign-in policies for automatic remediation.

 

Additionally, there are several Microsoft 365 Defender correlations that generate new cross-product detections based on the compromised user alerts coming from Azure AD Identity Protection. Alerts include: "Suspicious searches in Exchange Online", "Suspicious quantity of downloaded archive files", "Suspicious domain trust modification following risky sign-in", and "Suspicious Addition of an Exchange related App Role". With this integration, you will also benefit from the combined detection signal.

 

Investigating Azure AD identity compromise alerts as part of the end-to-end incident helps security teams more easily determine root cause, identify affected identities in the attack, and handle the compromised identities more quickly and efficiently. For example, you can suspend specific accounts to block an attack progression and limit its impact. You can also confirm a user as compromised to move them to high risk in Identity Protection and trigger the aforementioned risky user policy to securely change their password.

 

user aad.gif

A risky user in Microsoft 365 Defender with risk level generated by AAD Identity Protection and confirming that the user is compromised.

 

Once the incident investigation and response is done, the incident and Azure AD Identity Protection alert can be resolved in Microsoft 365 Defender. You can mark a user as compromised in Azure AD directly from the Microsoft 365 Defender user page. The incident status will automatically update in the Azure AD Identity Protection portal. 

 

In addition to Azure AD Identity Protection alerts now being integrated into the Microsoft 365 Defender experience, they are also available via the Microsoft 365 Defender Incident API, so you can track incidents that include Azure AD Identity Protection alerts in Microsoft Sentinel or any other solution in your SOC.

 

Idan_Pelleg_13-1666685500418.png

Example of an Azure AD Identity Protection alert in the Microsoft 365 Defender portal

 

By default, only the most relevant alerts for the security operation center are enabled. If you want to get all AAD IP risk detections or turn the integration off, you can change it in Microsoft 365 Defender setting page under “Alert service setting” section

 

Idan_Pelleg_14-1666685553703.png

 

 

 

We’re excited for you to use and test this new capability, and we’re interested in your feedback! Let us know what you think by using the feedback tool in the Microsoft 365 Defender portal.

Published on:

Learn more
Microsoft 365 Defender Blog articles
Microsoft 365 Defender Blog articles

Microsoft 365 Defender Blog articles

Share post:

Related posts

Viva Learning: AI and Copilot Resources Provider visibility

The AI and Copilot Resources Provider will be visible by default to users with Copilot licenses in Microsoft 365, with rollout starting late D...

27 minutes ago

Microsoft Defender for Office 365: Third-party add-in user report can be sent to Microsoft for analysis

Defender for Office 365 now allows administrators to configure the system to send messages reported by third-party add-ins to Microsoft for an...

27 minutes ago

SharePoint Drag and Drop Experience Updates

SharePoint and Amplify canvas have new drag and drop updates, including bigger drop hints, updated cursor icons, and the ability to add new se...

30 minutes ago

Microsoft Viva: Viva Amplify – Support for dwell time and clicks graphs in Amplify reporting

This release will add two new graphs to Amplify reporting: dwell time and clicks. The dwell time graph will indicate the average time users sp...

36 minutes ago

Microsoft 365: Updates to the Microsoft 365 app

The Microsoft 365 app name, icon, and UI will evolve to support future AI-first experiences. Key UI changes include reducing the top header an...

37 minutes ago

Microsoft Viva: Viva Glint – Zero downtime for Viva Glint releases

Viva Glint releases previously needed several hours of downtime. With this feature, future releases will be transparent to customers, requirin...

3 days ago

Microsoft 365 app: Microsoft Loop – Add a Loop Workspace to your Teams Channel

Channels in Microsoft Teams streamline collaboration by bringing people, content, and apps together and helping to organize them by project or...

3 days ago

Microsoft Copilot (Microsoft 365): Clipchamp Copilot video creator

Create a video draft on any topic by providing a prompt. Clipchamp will create a video using stock video and music with an AI-generated voiceo...

3 days ago

New deployments of Microsoft 365 desktop client apps to include new Outlook

Microsoft 365 desktop client apps’ new deployments will now include new Outlook. Rollout starts late February 2025, with completion by e...

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy