Available in: Pro and Ultimate Plans
Introduction
The ITDR (Identity Threat Detection & Response), formerly known as "Cloud Directory Posture", focuses on user risk, trying to detect an attack in its early stage based on human behavior.
This new improved feature aims to find the most accurate and focused way to handle identity threats and prevent them from taking over a user account.
Guardz's research team uses advanced AI tools to parse the large amount of data we gather and look for anomalies that indicate an attack. This set of events will then define the triggered incidents in the platform. The incident that will be opened will be a set of findings, related to a specific user, connecting the dots across Guardz's different security controls.
Setting up ITDR
Follow the guidelines below to install the ITDR application:
Navigating ITDR in Guardz
Where to Find It?
In this dashboard, you can:
View the integrated ITDR applications:
Detection - Read only
Response - Read and write
See the number of active users.
Manage Approved Locations.
ITDR Incidents:
Incidents are a sophisticated combination of detections that were identified and may imply a security event.
An incident can involve: login success after multiple failed logins, impossible travel, credential abuse, OAuth token theft, mailbox takeover, and more.
For example, The Guardz ITDR can detect a covert login using various tactics, if it originates from an unfamiliar environment, token manipulations, flag near-simultaneous logins from distant regions as an impossible travel anomaly, identify brute-force login attempts that lead to account compromise, and catch malicious mailbox-forwarding rules that indicate potential data exfiltration. These detections automatically correlate into a single incident, turning multiple isolated alerts into one clear, actionable narrative.
Notifications:
Once an incident has been opened, the MSP will be notified about it immediately through:
Email alert
Red notification banner at the top of the platform
Incidents View
Incidents can be found in the Detection & Response page, under a separate category at the top.
You can view the detailed events in each incident using the 'Timeline Details' or using the 'Timeline Graph', to better understand what led to it.
Actions
3.1 The main response:
Suspend user account - It allows for suspending the user from accessing the productivity suite.
If you wish to bring them back online, it should be done via your cloud directory.
*Supported in M365 only
*One-click user suspension requires installation of the Guardz "Response" app.
3.2 Additional actions to choose from:
Create report - download a full detailed report of the incident
View playbook - view the detailed step-by-step guide on how to handle the issue and link to the full technical guides.
Close incident - changes the status of the incident to closed.
ITDR Issues
ITDR continuously scans and creates issues for the following detections:
Inactive users: Monitoring of cloud apps identifies inactive accounts, inherently vulnerable & often overlooked, to mitigate the risk of unauthorized access.
Suspicious mailbox rules: Detects suspicious mailbox rules that could automate data exfiltration to external addresses & other methods facilitating unauthorized data access.
MFA not configured: Detects lack of MFA for users & admins, exposing a critical vulnerability in identity & access management and reducing the security posture.
Abnormal logins (Google only): Detects unusual login attempts, signaling potential security breaches & prompting immediate measures to safeguard account integrity.
Note: with the launch of ITDR incidents, M365 suspicious logins will no longer be managed or remediated as individual issues and will only be visible as part of a broader incident. This will greatly reduce false positives.
Managed ITDR (Available for Ultimate plan only)
Set up your MDR (Managed Detection and Response)
Integrate the Guardz "Response" application to allow writing privileges under: Security Controls > Identity Threat Detection & Response (ITDR) > 'Response Application > 'Install Response App'
*Supported in M365 only
Configure remediation preferences: Suspend user and choose "Automated" if you would like the SOC team to act on your behalf, under: Security Controls > Managed Detection and Response (MDR) > Emergency Contact & Preferences
Provide your contact details
The value of using MDR
The MDR/SOC team will review & triage all incidents using human analysts and expert support. When an actual security threat is identified, they'll take action based on remediation preferences to resolve the incident, communicate with admins, and give incident support as needed.
Approved Locations & Abnormal Logins
Setting up the 'Approved Locations' navigate in the Single customer view to Security Controls > Identity Threat Detection & Response (ITDR) > Approved Locations > Edit
How Does Guardz Identify Suspicious Logins?
Upon the initial integration with ITDR, Guardz analyzes historical login data from the last 7 days to establish a normal login benchmark.
A login is flagged as abnormal if it occurs outside the approved norm.
You can add or remove locations manually at any time.
Approved Locations are tracked by:
IP Addresses
Countries
Cities
Removing a location:
Logins from that location will no longer generate an issue.
Existing issues related to that location will be closed.
Adding a location:
You can specify either an IP address or City/Country.
For broader control, add an IP range (e.g., 1.1.1.1/24) or allow an entire country.
FAQ: ITDR
Question: Why does an issue state “MFA Missing Member” even though MFA is enabled?
📍Answer: The user may need to create a password specifically for MFA authentication.
Question: How often does the MFA scan run?
📍Answer: The scan runs every 2 hours, and immediately when new users are added within the tenant. If a user is deleted within the tenant, it can take up to 2 hours for the user to be removed within Guardz.
Question: How does Guardz determine the benchmark for normal logins?
📍Answer: Benchmark Rules:
Guardz pulls login activity from the last 7 days upon initial setup.
If a login occurs 3+ times from the same location, it becomes an approved benchmark location.
Question: Why can’t I enable Audit Logs in Microsoft 365?
📍Answer: : Microsoft 365 Basic License does not support Audit Logs. You must upgrade to a higher-tier license.