Manage sensitive or honeytoken accounts
This article explains how to apply entity tags to sensitive accounts. This is important because some Defender for Identity detections, such as sensitive group modification detection and lateral movement path rely on an entity's sensitivity status.
Defender for Identity also enables the configuration of honeytoken accounts, which are used as traps for malicious actors - any authentication associated with these honeytoken accounts (normally dormant), triggers an alert.
The following list of groups are considered Sensitive by Defender for Identity. Any entity that is a member of one of these Azure Active Directory groups is considered sensitive:
Network Configuration Operators
Incoming Forest Trust Builders
Group Policy Creator Owners
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Microsoft Exchange Servers
Until September, 2018, Remote Desktop Users were also automatically considered Sensitive by Defender for Identity. Remote Desktop entities or groups added after this date are no longer automatically marked as sensitive while Remote Desktop entities or groups added before this date may remain marked as Sensitive. This Sensitive setting can now be changed manually.
In addition to these groups, Defender for Identity identifies the following high value asset servers and automatically tags them as Sensitive:
- Certificate Authority Server
- DHCP Server
- DNS Server
- Microsoft Exchange Server
Manually tagging entities
You can also manually tag entities as sensitive or honeytoken accounts. If you manually tag additional users or groups, such as board members, company executives, and sales directors, Defender for Identity will consider them sensitive.
To manually tag entities
To tag entities, do the following:
In the Defender for Identity portal, select Configuration.
Under Detection, select Entity tags.
For each account that you want to configure, do the following:
- Under Honeytoken accounts or Sensitive, enter the account name.
- Click the plus icon (+).
The sensitive or honeytoken account field is searchable and will autofill with entities in your network.