The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.
Security Specialist at a construction company with 1,001-5,000 employees
Real User
Top 20
2024-09-10T11:45:00Z
Sep 10, 2024
The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs. It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.
There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event. It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration. Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.
Owner at a tech services company with 51-200 employees
Real User
Top 5
2024-08-08T17:23:00Z
Aug 8, 2024
It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments. It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.
Cloud Security Engineer at a non-tech company with 10,001+ employees
Real User
Top 10
2023-12-21T07:14:00Z
Dec 21, 2023
One potential area for improvement could be exploring flexibility in the installation of Microsoft Defender for Identity agents. Currently, it is mandatory to install the agent on the on-premises environment, and considering if there could be more flexibility in deployment might be worth exploring.
The tracking instance needs to be configured appropriately. They need to be able to identify more vulnerabilities in order to increase the efficiency of the solution.
Learn what your peers think about Microsoft Defender for Identity. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.
Although the threat protection is comprehensive, the solution needs to be reevaluated when it comes to complex scenarios. There is no publicly available roadmap regarding upcoming features and improvements to the product. The product has significant limitations around acquiring device vulnerabilities, primarily because hunting queries are limited. The technical support needs significant improvement. Documentation for more minor issues in the form of guides or walkthroughs could help to resolve this issue. The number of tickets raised would decrease, removing some pressure from the support team and making it easier to clear the remaining tickets.
There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.
Cyber Security BA/BSA at a insurance company with 10,001+ employees
Real User
2021-03-13T00:30:29Z
Mar 13, 2021
When the data leaves the cloud, there are security issues. The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.
Microsoft Defender for Identity is a comprehensive security solution that helps organizations protect their identities and detect potential threats. It leverages advanced analytics and machine learning to provide real-time visibility into user activities, enabling proactive identification of suspicious behavior.
With its powerful detection capabilities, it can identify various types of attacks, including brute force, pass-the-hash, and golden ticket attacks. The solution also offers...
The solution could improve how it handles on-premises Android-related attacks. Without Microsoft Defender, it can be challenging to check which accounts are compromised and to analyze activities on on-premises servers. Enhancing this capability would make it even more effective.
The solution should provide more detailed data regarding anomaly detections. You get information occasionally, but it doesn't always correlate the different anomalies accurately. It takes quite a lot of effort to look at sign-in logs and security alert logs. It would be nice to consolidate all that information into a more centralized view instead of going through different platforms in the Azure Stack to investigate.
There are issues with the alerts in Microsoft Defender for identity-related intra-protection detection anomalies. The alerts are missing some data, which makes it difficult to determine the exact sign-in event associated with the alert. For instance, if we see a sign-in from a different country, we want to correlate this with the sign-in events recorded in our system and Microsoft. The alert in Defender does not provide the necessary details to match it directly with the corresponding sign-in event. To address this, we need to refer to Defender Protection events, where we can find the IP and sign-in ID associated with the event. It would be beneficial if Microsoft developed the Microsoft Graph API for Advanced Hunting to facilitate more automation. Currently, the schema is not very well-defined, which limits automation possibilities. Additionally, improvements could be made to enhance queries, such as obtaining the full path of a process, which is available in EDR. Addressing these areas would significantly improve functionality and integration. Occasionally, we've encountered issues with the API, such as when we cannot access the data and receive a 500 Internal Server Error. This has happened several times over the past few days.
It integrates with on-premises Active Directory environments. It is designed to enhance security by providing advanced threat detection and response capabilities for both Azure Active Directory and on-premises Active Directory. This integration allows for comprehensive monitoring and protection of identity-related activities across both environments. It focuses on protecting the on-premises Active Directory infrastructure and does not directly link both identity repositories. For users operating in mixed environments, while Defender for Identity offers robust protection for on-premises AD, additional solutions or configurations might be necessary to ensure seamless security management across Azure and on-premises AD systems.
One potential area for improvement could be exploring flexibility in the installation of Microsoft Defender for Identity agents. Currently, it is mandatory to install the agent on the on-premises environment, and considering if there could be more flexibility in deployment might be worth exploring.
The tracking instance needs to be configured appropriately. They need to be able to identify more vulnerabilities in order to increase the efficiency of the solution.
Microsoft should look at what competing vendors like CrowdStrike and Broadcom are doing and incorporate those features into Sentinel and Defender. At the same time, I think the intelligence inside the product is improving fast. They should incorporate more zero-trust and hybrid trust approaches. They need to build up threat intelligence based on threats and methods used in attacks on other companies.
Although the threat protection is comprehensive, the solution needs to be reevaluated when it comes to complex scenarios. There is no publicly available roadmap regarding upcoming features and improvements to the product. The product has significant limitations around acquiring device vulnerabilities, primarily because hunting queries are limited. The technical support needs significant improvement. Documentation for more minor issues in the form of guides or walkthroughs could help to resolve this issue. The number of tickets raised would decrease, removing some pressure from the support team and making it easier to clear the remaining tickets.
There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.
The solution could be better at using group-managed access and they could replace it with broad-based access controls.
When the data leaves the cloud, there are security issues. The cloud security services and the integration with on-prem applications like SIEM, needs to be improved.