This article is a reference of all Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) releases until (and including) release 2.55. For recent Defender for Identity release updates (2.56 and newer), see Defender for Identity what’s new. Azure ATP release 2.55 Released November 18, 2018 Security Alert: Suspicious communication over DNS […]
Defender for Identity can forward security alert and health alert events to your SIEM. Alerts and events are in the CEF format. This reference article provides samples of the logs sent to your SIEM. Sample Defender for Identity security alerts in CEF format The following fields and their values are forwarded to your SIEM: SAMPLE […]
Note The final release of ATA is generally available. ATA will end Mainstream Support on January 12, 2021. Extended Support will continue until January 2026. For more information, read our blog. Use this guide to move from an existing ATA installation to the (Microsoft Defender for Identity) service. The guide explains Defender for Identity prerequisites and requirements, […]
This article describes how to uninstall the Microsoft Defender for Identity sensor from domain controllers for the following scenarios: Uninstall a sensor from a domain controller Remove an orphaned sensor Remove a duplicate sensor Uninstall a sensor from a domain controller The following steps describe how to uninstall a sensor from a domain controller. Sign […]
Note The Microsoft Defender for Identity sensor automatically reads events locally, without the need to configure event forwarding. To enhance detection capabilities, Defender for Identity needs the Windows events listed in Configure event collection. These can either be read automatically by the Defender for Identity sensor or in case the Defender for Identity sensor is not […]
To enhance detection capabilities, Microsoft Defender for Identity needs the Windows events listed in Configure event collection. These events can either be read automatically by the Defender for Identity sensor or in case the Defender for Identity sensor is not deployed, it can be forwarded to the Defender for Identity standalone sensor in one of two […]
Note Defender for Identity standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Defender for Identity sensor. The following steps walk you through the process for validating that port mirroring is properly […]
Note Defender for Identity standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Defender for Identity sensor. The main data source used by Defender for Identity is deep packet inspection of the […]
Microsoft Defender for Identity lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity Service account created during Defender for Identity installation Step 2. Connect to AD. Configure SAM-R required permissions To ensure Windows clients and servers allow your Defender for […]
Each Microsoft Defender for Identity sensor requires Internet connectivity to the Defender for Identity cloud service to report sensor data and operate successfully. In some organizations, the domain controllers aren’t directly connected to the internet, but are connected through a web proxy connection. We recommend using the command line to configure your proxy server as […]