You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/service-account-discovery.md
+15-7Lines changed: 15 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -52,7 +52,7 @@ There are several options you can choose from to customize the identities list v
52
52
53
53
- Managed: The total number of service accounts that are gMSA (Group Managed Service Accounts) or sMSA (Managed Service Accounts)
54
54
55
-
- User:
55
+
- User: The total number of standard user accounts used for interactive logins or configured to run services.
56
56
57
57
- Critical: The total number of service accounts identified as critical.
58
58
@@ -66,9 +66,9 @@ You can use the sort and filter functionality on each service account tab to get
66
66
- Domain: The Active Directory domain to which the identity belongs.
67
67
- Type: Specifies if the identity is a user account or service account.
68
68
- Criticality level: Indicates the critical level of the identity.
69
-
- Tags:
69
+
- Tags: Sensitive or Honey Token
70
70
- Auth protocols: Lists the available methods for verifying user identities, for example, Kerberos and NTLM (New Technology LAN Manager).
71
-
- Service classes:
71
+
- Service classes: Lists
72
72
- Sources: Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Microsoft Entra ID) or Hybrid (synced from AD to Microsoft Entra ID).
73
73
- Destinations -The number of resources the account is trying to access, such as a Domain Controller or remote desktop session.
74
74
- Connections:
@@ -77,13 +77,21 @@ You can use the sort and filter functionality on each service account tab to get
77
77
78
78
### Service accounts overview
79
79
80
-
For a deeper dive into what's happening in your service account select on the domain name and see the following information:
80
+
For a deeper dive into what's happening in your service account click on the domain name to see the following information:
81
81
82
82
**Connections**
83
83
Explore the connections made by these accounts, see insights into which machines were involved, their potential risk level, and identify abnormal interactions.
84
84
85
-
- The source is the physical device where the service account was initially executed.
86
-
- The destination is the resource or system the account is trying to access, such as a domain controller or remote desktop session.
87
-
- The connection shows the flow of activity, where the service account is used from the source device to reach and operate on the destination.
85
+
In order to capture network traffic we need to gather data from various places such as the device, service account, destination and what resource was requested.
86
+
87
+
Source: Where the network traffic or request originates from.
88
+
Source type: What kind of device or system is initiating the request. For example, server ,workstation, domain controller.
89
+
Source risk: Identicates the risk posed to the source from no risk to high risk.
90
+
Destination: Where the request is being directed to. The target system that the service account is trying to access. For example, when trying to access a destination server, there can be multiple resources on that server (e.g. a database and a file-server).
91
+
Destination type:
92
+
Auth protocols:
93
+
Service Class: A category of services within a network that defines the type of service being provided, often used for authentication and resource management. These include: Lightweight Directory Access Protoco (LDAP), Common Internet File System (CIFS), Remote Procedure Call (RPC), Remote Procedure Call Subsystem (RPCSS), "HTTP", Terminal Services (TERMSRV), and "HOST"
94
+
Count:
95
+
Last seen:
88
96
89
97
For more information about the following tabs, **Overview**, **Incidents and alerts**,**Observed in organization**, **Timeline**, and **Attack paths** see: [Investigate assets](/ATPDocs/investigate-assets.md#identity-details)
Copy file name to clipboardExpand all lines: ATPDocs/whats-new.md
+14Lines changed: 14 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,6 +24,20 @@ For updates about versions and features released six months ago or earlier, see
24
24
25
25
## March 2025
26
26
27
+
### New: Service Account Discovery in Defender for Identity
28
+
29
+
30
+
Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment.
31
+
32
+
This update provides:
33
+
34
+
- Automatic identification of Group Managed Service Accounts) ,Managed Service Accounts, and user accounts operating as service accounts.
35
+
36
+
- A centralized Service Accounts inventory, displaying key attributes like account type, authentication activity, privileges, and criticality.
37
+
38
+
For more information see: [Investigate and protect Service Accounts | Microsoft Defender for Identity](service-account-discovery.md)
39
+
40
+
27
41
### New Health Issue
28
42
29
43
New [health issue](health-alerts.md#network-configuration-mismatch-for-sensors-running-on-vmware) for cases where sensors running on VMware have network configuration mismatch.
0 commit comments