Microsoft is updating Microsoft Defender for Identity to allow security operations teams (SecOps) to block attacks by blocking the Active Directory account of a compromised user.
Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection or Azure ATP) is a cloud security service that leverages on-premises Active Directory signals to detect and analyze advanced threats, compromised identities, and malicious insider activity targeting enrolled organizations.
Native ‘response’ actions will arrive later this month
After adding what the company called “native ‘response’ actions” to Defender for Identity, “SecOps will have the ability to directly lock the Active Directory account or request that the password be reset, which means actions can be taken more direct when a user is compromised. “
“Until now, when a user is confirmed to be compromised in Microsoft Defender for Identity, it is the Azure Active Directory account that is done through a conditional access rule,” as Redmond revealed in the Microsoft 365 roadmap .
Defender for Identity’s native ‘response’ actions are now in development, but the company plans to make the feature available worldwide to standard multi-tenants later this month.
Microsoft Defender for Identity is included with Microsoft 365 E5 and you can get a Security E5 test right now to try this new feature as soon as it launches.
Tracking emerging threats and malicious insiders
In related news, Microsoft announced in March that Threat Analytics for Microsoft 365 Defender and Microsoft 365 Insider Risk Management Analytics customers went into public preview.
Threat analysis is designed to help track and stop emerging threats (including ongoing attacks, critical security flaws, and widespread malware) using threat intelligence provided by Microsoft security researchers.
Microsoft 365 Internal Risk Management Analysis enables customers to audit logs on a daily basis with the ultimate goal of detecting potentially malicious internal activity.
In January, Redmond also announced the addition of attack simulation training in Microsoft Defender for Office 365 to help SecOps teams simulate real attacks for “accurate and up-to-date detection of risky behavior.”