Skip to main content

Identity Threat Detection and Response (ITDR)

Updated yesterday

What is it all about?

The ITDR (Identity Threat Detection & Response), formerly known as "Cloud Directory Posture" service, focuses on user risk, aiming to detect an attack in its early stage based on human behavior.

This new improved feature aims to find the most accurate and focused way to handle identity threats and prevent them from taking over a user account.

Guardz's research team uses advanced AI tools to parse the large amount of data we gather and look for anomalies that indicate an attack. This set of events will then define the triggered incidents in the platform. The incident that will be opened will be a set of findings, related to a specific user, connecting the dots across Guardz's different security controls.

Available in: Pro and Ultimate Plans.

Detection Logic

A newly enhanced and smarter detection logic is now live for Microsoft (including MDR), supporting incident generation and automatic remediation. For Google, the current detection logic offers foundational coverage, with ongoing efforts to bring it to a similar level.


Setting Up The Service: Step-by-Step

1. Connect the ITDR Application (Detection Permissions)

This step ensures that the ITDR application is granted detection-level permissions required to identify potential security issues. Once setup is complete, Guardz gets access to all users associated with that domain, including their login history and related identity data. Additionally, the ITDR section becomes available, allowing admins to view the number of active users and deactivate users directly from this view.

  • For Microsoft:

    Follow the instructions in the "Connect ITDR Detection" section in this article.

  • For Google:

    Follow the instructions in the "Connect ITDR Detection" section in this article.

2. Enable Response Permissions (for Microsoft Only)

In addition to detection mode, Microsoft environments support response capabilities that allow Guardz to actively remediate certain issues (this step is optional but recommended for full remediation capabilities).

  • Admins can enable this functionality by providing additional permissions

  • To grant ‘Response’ permissions:

    • Select the relevant customer

    • Go to the ‘ITDR’ section in the ‘Security Controls’ tab

    • Click on the ‘Install Response Application’ button

    • Select the relevant account and click on the ‘Install’ button

3. Add Locations (Optional)

Upon initial integration with ITDR, Guardz analyzes historical login data from the past 7 days to establish a baseline for normal login behavior. Any login that falls outside this established norm is flagged as abnormal. Admins can manually add or remove approved locations at any time.

  • To add locations:

    • Go to the ‘ITDR’ section in the ‘Security Controls’ tab

    • Enable the 'Approved Locations' option

    • Click on the ‘Edit’ button

    • Click on the ‘Add New Location’ button

    • Insert the relevant details (IP / Location)

Once successfully inserted, the new location appears on the list

  • To remove locations:

    • Go to the ‘ITDR’ section in the ‘Security Controls’ tab

    • Click on the ‘Edit’ button

    • Click on the ‘Delete’ icon next to the relevant record

4. Review Global Settings

Admins can view the ITDR functionality status across all their customers in a single, centralized dashboard:

  • Switch to ‘All Customers’ view mode

  • Go to the ‘ITDR’ section in the ‘Security Controls’ tab

  • Review the ITDR dashboard


ITDR Spotted Threats

The suspicious elements detected by ITDR will appear in the system in two forms: issues and incidents.

1. Issues (for all ITDR Customers)

A. Types:​

  • Inactive users: monitoring of cloud apps identifies inactive accounts, inherently vulnerable & often overlooked, to mitigate the risk of unauthorized access.

  • Suspicious mailbox rules: detects suspicious mailbox rules that could automate data exfiltration to external addresses & other methods facilitating unauthorized data access.

  • MFA not configured: detects lack of MFA for users & admins, exposing a critical vulnerability in identity & access management and reducing the security posture.

  • Abnormal logins (Google only): detects unusual login attempts, signaling potential security breaches & prompting immediate measures to safeguard account integrity. Currently, abnormal logins for Microsoft will appear as an incident.

B. Management and Remediation:

Guardz identifies and reports any issues related to the ITDR scan. Admins can take an action directly on these issues to address and remediate them.

Specific Issues Related Information:

  • Suspicious logins:

    • Guardz pulls login activity from the last 7 days upon initial setup

    • If a login occurs 3+ times from the same location, it becomes an approved benchmark location

  • MFA

    • The scan runs every 2 hours and is triggered immediately when new users are added. If a user is deleted, it may take up to 2 hours for the user to be removed from Guardz

    • Users might need to create a password specifically for MFA authentication even if MFA is already enabled

2. Incidents (Currently for Microsoft Workspaces Only)

A. Types:​

Incidents are intelligently correlated sets of detections that together suggest a potential security event, such as:

  • Successful login following multiple failed attempts

  • Impossible travel (e.g., logins from geographically distant locations)

  • Credential misuse

  • OAuth token compromise

  • Mailbox takeover

B. Notifications & View:

  • Once an incident has been opened, the admins will be notified by:

    • Email alert

    • Red notification banner at the top of the platform

  • Incidents full details can be found in the 'Detection & Response' section, under a separate category at the top

  • Admins can view the detected finding per each incident using 'Timeline Details' or using the 'Timeline Graph'

C. Incidents Management & Remediation:

Admins have two options for handling incidents:

1. Self-management

  • Suspend The User:

    • Admin can suspend a user’s account to block access to the productivity suite—this is currently supported for Microsoft 365 only (to reinstate access, use your cloud directory)

    • To suspend a user, open the relevant incident and click on the ‘Suspend User Account’ button

    • Please note:

      1. One-click suspension requires installation of the Guardz "Response" app.

      2. The ‘Suspend’ action has been enhanced to also revoke all active user sessions meaning that when a user is suspended, they will be immediately logged out from all currently active sessions across all devices and platforms.

  • Additional Action Items:

    • Create report: download a full detailed report of the incident

    • View playbook: view the detailed step-by-step guide on how to handle the issue and link to the full technical guides (you may also review and follow these user guides)

    • Close incident: changes the status of the incident to closed

2. MDR Service

Let our MDR team handle incidents on your behalf (available for ‘Ultimate’ clients only). The team will review and triage all incidents using human analysts and expert support. When an actual security threat is identified, they will take action based on remediation preferences to resolve the incident, communicate with admins, and give incident support as needed.​

How to establish the service?

  • Make sure the Guardz "Response" application is installed

  • Configure remediation preferences:

    • Go to the 'Security Controls' tab and open the 'MDR' section at the top

    • Amend the preferences by clicking on the 'Edit' button

    • Provide your contact details

  • Please note:

    The MDR team, by nature of their role in monitoring and incident response, will typically take immediate actions such as suspending the user. However, you may still need to perform additional steps to fully resolve the incident by following the appropriate user guides.

Did this answer your question?