Azure AD Identity Protection Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

8 hours 33 minutes
Video Transcription
Hello, Siberians. Welcome to this lesson on a giant e identity protection. Part one. This is part off the Is it 500. Microsoft Azure security technologist costs
Quick information on the topics are recovering in this lesson who start by giving an overview off? What identity protection ease? Well, then, this cost of this types the detection types on the risk levels in identity protection.
Let's get into this.
So what exactly is identity protection? Here's my definition. It is an identity vis detection service provided by Microsoft's. But what exactly does this mean?
What this means is that this service can help us toe automates the detection off indicators off compromise on suspicious actions in azure, a design in activities. If you think about it, there's a wealth off potentially useful information in Azure Lady Sinan activities,
I said potentially because the information needs to be analysed toe obtain intelligence from hit. This involves a lot off administrative effort if we were to attempt to do this manually.
Thankfully with identity protection, this can be automated using machine learning algorithms built on trained by the Microsoft Identity Service team.
I don't know Good thing about this service is that it's not only about detecting indicators off compromise we can follow investigates this risk events that have been detected by using the identity protection reports. We can configure policies toe automatically response to detective risks,
and we can even export the detection is to talk party systems for for the analyses or event. Correlation
for has to be able to use identity protection. There is a requirement off the azure a deep premium p two addition when it comes to risks, are indicators off compromise there? Two types off risk that identity protection can detect it. Can the techs user risks and sign in risk? A user risk represents the likelihood
that the user's account has been compromised.
In other words, a joy did, based on its Uris sticks and mission and in our guardian in the kit. So how's that? They users? Credential is not in the hands off the legitimate user. This risks are calculated off line.
Using Microsoft internal and external trade intelligence sources will get into what offline means the minute
here to you service that can be detected by identity protection licked credential, which means that a user's valid credential has been leaked on found on the dark Web. It can also detect unusual patterns in a user's activities off I period of time. It can detect
if this pattern bite seen in the user's activity is consistent
with unknown attack. This is a useful insight for House tohave, but attempts to do this manually requires a lot off. Administrative effort ends the value off a service like this.
A signing risk, on the other hand,
represents the likelihood of a given signing request is coming from someone hell's order than the legitimate user.
In other words, the probability that the user's credentials has not only been compromised, but I it has been used to sign in by someone house this risk are calculated in real time or calculated off line here. The different sign Invest identity protection can detect it can detect
signing from an anonymous IP address like a tor browser. Off VPN
on this starts off event usually indicates someone trying to hide thier activity on identity protection will flag these up. A typical travel detection, which identifies two signings originating from geographically distant locations by the same identity, and in this case it will only flood these
if one off the locations that the user has been detector to sign in from.
It's not a usual location for that user. For example, if I've never signed in from, let's Say, the United States on all of a sudden I'm signing in from the United States, that's gonna be flagged up. My were linked i p address,
which identify signing from an I p address that Microsoft Threat Intelligence knows, has been compromised home familiar Sinan Properties.
It identifies unusual signing properties for user in other what nots trust based on the location. But based on other properties off the signing, it can detect if this is not familiar for the user militias i p address, which identified signings from I P addresses that are known to have a bad
trade to reputation. And it's gonna be using different type reputation sources for these
and finally, on Administrator can simply market users. Credential has been compromised based on the investigation using automates. Let's have a quick look at the different detection types that identity protection has a detection type in identity protection
in the kids to reported literacy between when and activity happens
and when the risk is detected. There two types off detection in identity protection. We have you time detections on offline detection view. Time detection means that militancy off 5 to 10 minutes exist pitch in when an event happens on when it is detected. So detection is like anonymous i p
are signing from on. Familiar locations
are detected in view time offline. Detections means that we have a literacy off 2 to 4 hours between when the event happens and when it is detected. So the Texans like leaked credentials. A typical travel my way linked i p address on militias i p. Wrists are detected offline.
Let's talk about the vis levels in identity protection.
Every detection type as a risk level classifications. The risk level classification is an indicator for the severity on the confidence off of is detection.
So this this level could be high. It could be medium, or you could below A I risk level event means that there is a strong indication that a user's identity has been compromised on any user account. Impacted should be remediated immediately. A medium. This level event means that there is a potential risk
on any user account. Impacted
should be remediated, but the urgency is the one that off I've its level event. A low risk level event means that an immediate action may not were required. But when combined with other visitor action, this may provide a strong indication that the identity has been compromised.
Live credential detection as a high risk level. My were linked by for detection
as a low risk level hall of the detection types. A medium risk level. Here's a quiz question for you.
You are implementing conditional access policies
you must ever Lewites the existing azure. Hey Davis event on risk levels toe. Come figure and implement the policies you needs to identify the risk level off the following risk events is us with late credentials impossible to travel. A typical locations.
Signings from I P addresses with suspicious activities.
Which level should you identify For each risk event, choose between high medium and low
number one. Impossible to travel a typical location.
If you selected medium, you would be correct
number to use us with lead credentials.
If it selected high, you would be correct.
Number three signing from I P addresses with suspicious activity.
If you selected medium, you would be correct. Remember the key to remember these
is that liquid in show as a high risk level.
Maar were linked. I pay detection as a low vis level and hold our detection types a medium risk level.
Well, pause that discussion here. For now,
he has a somebody off. What we covered in this lesson
started by giving an overview off. What identity protection he's.
But then, this cost of this types the detection types on the vis levels in identity protection.
Thanks very much for watching on. I'll see you in the next lesson. Where will conclude our discussion on identity protection?
Up Next