What is it all about?
The ITDR (Identity Threat Detection & Response), formerly known as "Cloud Directory Posture" service, focuses on user risk, aiming to detect an attack in its early stage based on human behavior.
This new improved feature aims to find the most accurate and focused way to handle identity threats and prevent them from taking over a user account.
Guardz's research team uses advanced AI tools to parse the large amount of data we gather and look for anomalies that indicate an attack. This set of events will then define the triggered incidents in the platform. The incident that will be opened will be a set of findings, related to a specific user, connecting the dots across Guardz's different security controls.
Available in: Pro and Ultimate Plans.
Detection Logic
A newly enhanced and smarter detection logic is now live for Microsoft (including MDR), supporting incident generation and automatic remediation. For Google, the current detection logic offers foundational coverage, with ongoing efforts to bring it to a similar level.
Setting Up The Service: Step-by-Step
1. Connect the ITDR Application (Detection Permissions)
This step ensures that the ITDR application is granted detection-level permissions required to identify potential security issues. Once setup is complete, Guardz gets access to all users associated with that domain, including their login history and related identity data. Additionally, the ITDR section becomes available, allowing admins to view the number of active users and deactivate users directly from this view.
For Microsoft:
Follow the instructions in the "Connect ITDR Detection" section in this article.
For Google:
Follow the instructions in the "Connect ITDR Detection" section in this article.
2. Enable Response Permissions (for Microsoft Only)
In addition to detection mode, Microsoft environments support response capabilities that allow Guardz to actively remediate certain issues (this step is optional but recommended for full remediation capabilities).
Admins can enable this functionality by providing additional permissions
To grant ‘Response’ permissions:
Select the relevant customer
Go to the ‘ITDR’ section in the ‘Security Controls’ tab
Click on the ‘Install Response Application’ button
Select the relevant account and click on the ‘Install’ button
3. Add Locations (Optional)
Upon initial integration with ITDR, Guardz analyzes historical login data from the past 7 days to establish a baseline for normal login behavior. Any login that falls outside this established norm is flagged as abnormal. Admins can manually add or remove approved locations at any time.
To add locations:
Go to the ‘ITDR’ section in the ‘Security Controls’ tab
Enable the 'Approved Locations' option
Click on the ‘Edit’ button
Click on the ‘Add New Location’ button
Insert the relevant details (IP / Location)
Once successfully inserted, the new location appears on the list
To remove locations:
Go to the ‘ITDR’ section in the ‘Security Controls’ tab
Click on the ‘Edit’ button
Click on the ‘Delete’ icon next to the relevant record
4. Review Global Settings
Admins can view the ITDR functionality status across all their customers in a single, centralized dashboard:
Switch to ‘All Customers’ view mode
Go to the ‘ITDR’ section in the ‘Security Controls’ tab
Review the ITDR dashboard
ITDR Spotted Threats
The suspicious elements detected by ITDR will appear in the system in two forms: issues and incidents.
1. Issues (for all ITDR Customers)
A. Types:
Inactive users: monitoring of cloud apps identifies inactive accounts, inherently vulnerable & often overlooked, to mitigate the risk of unauthorized access.
Suspicious mailbox rules: detects suspicious mailbox rules that could automate data exfiltration to external addresses & other methods facilitating unauthorized data access.
MFA not configured: detects lack of MFA for users & admins, exposing a critical vulnerability in identity & access management and reducing the security posture.
Abnormal logins (Google only): detects unusual login attempts, signaling potential security breaches & prompting immediate measures to safeguard account integrity. Currently, abnormal logins for Microsoft will appear as an incident.
B. Management and Remediation:
Guardz identifies and reports any issues related to the ITDR scan. Admins can take an action directly on these issues to address and remediate them.
Specific Issues Related Information:
Suspicious logins:
Guardz pulls login activity from the last 7 days upon initial setup
If a login occurs 3+ times from the same location, it becomes an approved benchmark location
MFA
The scan runs every 2 hours and is triggered immediately when new users are added. If a user is deleted, it may take up to 2 hours for the user to be removed from Guardz
Users might need to create a password specifically for MFA authentication even if MFA is already enabled
2. Incidents (Currently for Microsoft Workspaces Only)
A. Types:
Incidents are intelligently correlated sets of detections that together suggest a potential security event, such as:
Successful login following multiple failed attempts
Impossible travel (e.g., logins from geographically distant locations)
Credential misuse
OAuth token compromise
Mailbox takeover
B. Notifications & View:
Once an incident has been opened, the admins will be notified by:
Email alert
Red notification banner at the top of the platform
Incidents full details can be found in the 'Detection & Response' section, under a separate category at the top
Admins can view the detected finding per each incident using 'Timeline Details' or using the 'Timeline Graph'
C. Incidents Management & Remediation:
Admins have two options for handling incidents:
1. Self-management
Suspend The User:
Admin can suspend a user’s account to block access to the productivity suite—this is currently supported for Microsoft 365 only (to reinstate access, use your cloud directory)
To suspend a user, open the relevant incident and click on the ‘Suspend User Account’ button
Please note:
One-click suspension requires installation of the Guardz "Response" app.
The ‘Suspend’ action has been enhanced to also revoke all active user sessions meaning that when a user is suspended, they will be immediately logged out from all currently active sessions across all devices and platforms.
Additional Action Items:
Create report: download a full detailed report of the incident
View playbook: view the detailed step-by-step guide on how to handle the issue and link to the full technical guides (you may also review and follow these user guides)
Close incident: changes the status of the incident to closed
2. MDR Service
Let our MDR team handle incidents on your behalf (available for ‘Ultimate’ clients only). The team will review and triage all incidents using human analysts and expert support. When an actual security threat is identified, they will take action based on remediation preferences to resolve the incident, communicate with admins, and give incident support as needed.
How to establish the service?
Make sure the Guardz "Response" application is installed
Configure remediation preferences:
Go to the 'Security Controls' tab and open the 'MDR' section at the top
Amend the preferences by clicking on the 'Edit' button
Provide your contact details
Please note:
The MDR team, by nature of their role in monitoring and incident response, will typically take immediate actions such as suspending the user. However, you may still need to perform additional steps to fully resolve the incident by following the appropriate user guides.