Updates to multiple detections to reduce noise and improve alert accuracy
Defender for IdentityMicrosoft
Update from:September 2025
Updates to multiple detections to reduce noise and improve alert accuracy
Several Defender for Identity detections are being updated to reduce noise and improve accuracy, making alerts more reliable and actionable. As the rollout continues, you may see a decrease in the number of alerts raised.
The improvements will gradually take effect across the following detections:
- Suspicious communication over DNS
- Suspected Netlogon privilege elevation attempt (CVE-2020-1472)
- Honeytoken authentication activity
- Remote code execution attempt over DNS
- Suspicious password reset by Microsoft Entra Connect account
- Data exfiltration over SMB
- Suspected skeleton key attack (encryption downgrade)
- Suspicious modification of Resource Based Constrained Delegation by a machine account
- Remote code execution attempt
Unified connectors is now available for Okta Single Sign-On connectors (Preview)
Microsoft Defender for Identity supports the Unified connectors experience, starting with the Okta Single Sign-On connector. This enables Defender for Identity to collect Okta system logs once and share them across supported Microsoft security products, reducing API usage and improving connector efficiency.
For more information see: Connect Okta to Microsoft Defender for Identity (Preview)
