Identities are still one of the main attack scenarios and many different threats and attack techniques will be used to gain credentials and access. Microsoft security products offers many capabilities to detect those threats and risks on identities by using built-in ML-based signals but also implementing custom detections.

But which integrations between the individual products (such as Microsoft Defender XDR, Sentinel and Entra ID Protection) are essential? How can you take advantage of "User and Entity Behavior Analytics" to detect suspicious activities? Which practical use cases and solutions are available to fine-tune or enrich built-in detections?

In this talk, I would like to give a practical view on the implementation of the Microsoft Security stack for Identity Threat Detection & Response with notes from the field. This will cover also advanced multi-stage attack scenarios and custom detections.