Skip to main content

Identity Threat Detection and Response (ITDR)

Actively protect users by monitoring security posture and cloud activity. Formerly called Cloud Directory Posture.

Updated today

Available in: Pro and Ultimate Plans

Introduction

The ITDR (Identity Threat Detection & Response), formerly known as "Cloud Directory Posture", focuses on user risk, trying to detect an attack in its early stage based on human behavior.

This new improved feature aims to find the most accurate and focused way to handle identity threats and prevent them from taking over a user account.

Guardz's research team uses advanced AI tools to parse the large amount of data we gather and look for anomalies that indicate an attack. This set of events will then define the triggered incidents in the platform. The incident that will be opened will be a set of events, related to a specific user, connecting the dots across Guardz's different security controls.


Setting up ITDR
Follow the guidelines below to install the ITDR application:


Navigating ITDR in Guardz

Where to Find It?


In this dashboard, you can:

  • View the integrated ITDR applications:

    • Detection - Read only

    • Response - Read and write

  • See the number of active users.

  • Manage Approved Locations.

Incidents:

Incidents are a sophisticated combination of detections that were identified and may imply a security event.
An incident can involve: login success after multiple failed logins, impossible travel, credential abuse, OAuth token theft, mailbox takeover, and more.

For example, The Guardz ITDR can detect a covert login using various tactics, if it originates from an unfamiliar environment, token manipulations, flag near-simultaneous logins from distant regions as an impossible travel anomaly, identify brute-force login attempts that lead to account compromise, and catch malicious mailbox-forwarding rules that indicate potential data exfiltration. These detections automatically correlate into a single incident, turning multiple isolated alerts into one clear, actionable narrative.

  1. Notifications:

    Once an incident has been opened, the MSP will be notified about it immediately through:

    • Email alert

    • Red notification banner at the top of the platform


  2. Incidents View

    Incidents can be found in the Detection & Response page, under a separate category at the top.

    You can view the detailed events in each incident using the 'Timeline Details' or using the 'Timeline Graph', to better understand what led to it.


  3. Actions

    3.1 The main response:

    • Suspend user account - It allows for suspending the user from accessing the productivity suite.
      If you wish to bring them back online, it should be done via your cloud directory.
      *Supported in M365 only
      *One-click user suspension requires installation of the Guardz "Response" app.


    3.2 Additional actions to choose from:

    • Create report - download a full detailed report of the incident

    • View playbook - view the detailed step-by-step guide on how to handle the issue and link to the full technical guides.

    • Close incident - changes the status of the incident to closed.

  4. Standalone Suspicious Logins

    When a detection is part of an incident, it may not appear as an issue. For example, Suspicious Logins as part of M365 will no longer be managed or remediated as a separate issue and will only be part of a broader incident.

Managed ITDR (Available for Ultimate plan only)

  1. Set up your MDR (Managed Detection and Response)

    1. Integrate the Guardz "Response" application to allow writing privileges under: Security Controls > Identity Threat Detection & Response (ITDR) > 'Response Application > 'Install Response App'
      *Supported in M365 only

    2. Configure remediation preferences: Suspend user and choose "Automated" if you would like the SOC team to act on your behalf, under: Security Controls > Managed Detection and Response (MDR) > Emergency Contact & Preferences

    3. Provide your contact details

  2. The value of using MDR

    The MDR/SOC team will review & triage all incidents using human analysts and expert support. When an actual security threat is identified, they'll take action based on remediation preferences to resolve the incident, communicate with admins, and give incident support as needed.​


Approved Locations & Abnormal Logins

Setting up the 'Approved Locations' navigate in the Single customer view to Security Controls > Identity Threat Detection & Response (ITDR) > Approved Locations > Edit

How Does Guardz Identify Suspicious Logins?

Upon the initial integration with ITDR, Guardz analyzes historical login data from the last 7 days to establish a normal login benchmark.

A login is flagged as abnormal if it occurs outside the approved norm.

You can add or remove locations manually at any time.


Approved Locations are tracked by:

  • IP Addresses

  • Countries

  • Cities

Removing a location:

Logins from that location will no longer generate an issue.

Existing issues related to that location will be closed.

Adding a location:

You can specify either an IP address or City/Country.

For broader control, add an IP range (e.g., 1.1.1.1/24) or allow an entire country.


FAQ: ITDR

Question: Why does an issue state “MFA Missing Member” even though MFA is enabled?
📍Answer: The user may need to create a password specifically for MFA authentication.

Question: How often does the MFA scan run?
📍Answer: The scan runs every 2 hours, and immediately when new users are added within the tenant. If a user is deleted within the tenant, it can take up to 2 hours for the user to be removed within Guardz.

Question: How does Guardz determine the benchmark for normal logins?
📍Answer: Benchmark Rules:

  • Guardz pulls login activity from the last 7 days upon initial setup.

  • If a login occurs 3+ times from the same location, it becomes an approved benchmark location.

Question: Why can’t I enable Audit Logs in Microsoft 365?
📍Answer: : Microsoft 365 Basic License does not support Audit Logs. You must upgrade to a higher-tier license.

Did this answer your question?