ITDR: Closing the Gap Between Identity Detection and Compliance Response

Identity is the new perimeter. The vast majority of successful breaches involve compromised credentials, not exploitation of network vulnerabilities. Yet most compliance programs still treat identity security as a checkbox — "MFA is enabled" — rather than an active monitoring and response capability. Identity Threat Detection and Response (ITDR) in TATER changes that by connecting live identity signals to your compliance posture in real time.

What Is ITDR in TATER?

TATER's ITDR module (Security → Identity Security → ITDR) aggregates identity threat signals from Microsoft Entra ID Protection and maps them to your compliance control baseline. When Entra detects a risky sign-in, an anomalous user behavior, or a leaked credential, TATER creates a structured ITDR alert that links to:

• The specific compliance controls that govern the identity (MFA, conditional access, privileged access)
• The affected user's profile in the People directory
• Any open risks in the Risk Register that relate to compromised credentials
• The appropriate IR playbook for the detected threat type

Alert Structure

Each ITDR alert captures the threat type, risk level (Low/Medium/High/Critical), detection timestamp, source user identity, source IP and location, related sign-in events, and investigation notes. Alerts progress through a defined lifecycle: New → Investigating → Contained → Resolved or False Positive. Every status transition is audit-logged with actor and timestamp.

The alert record is the compliance artifact. When an auditor asks "show me evidence that identity-based threats are detected and responded to within your defined SLO," the ITDR alert record with its complete timeline is the answer — not a narrative in a Word document.

Playbook Integration

Every ITDR alert type maps to a pre-built playbook template. When you click "Activate Playbook" on an ITDR alert, TATER creates the workflow from the template pre-populated with the alert context — affected user, detected threat type, risk level — and stamps the alert ID on the playbook run. The containment steps (suspend account, revoke sessions, rotate credentials, notify the user's manager) execute as trackable workflow tasks, each requiring a completion note before the next step opens.

"The gap between detection and response is where breaches do their damage. ITDR + Playbooks close that gap by making the response procedural rather than ad hoc."

Connecting Detection to Compliance Controls

ITDR alerts are not just operational events — they are compliance evidence. When an alert is created, TATER automatically creates a comment on each linked compliance control noting the detection event. This feeds directly into the control's audit history. When the control is reviewed in a compliance assessment, the auditor can see that the organization detected and responded to a real identity threat — not just that the technical control was configured.

If the alert reveals that an MFA bypass was achieved despite MFA being "enabled," TATER creates a failing signal on the relevant MFA controls. This ensures the compliance dashboard reflects reality, not just configuration state.

NHI Integration

ITDR is not limited to human identities. TATER's NHI inventory feeds into the ITDR alert system: if an API key or service principal is involved in a suspicious authentication event, TATER correlates the alert to the NHI record and flags it for review. The NHI record's audit history gains the alert reference, creating a complete picture of the identity's activity timeline.

Risk Register Integration

When an ITDR alert is escalated to High or Critical, TATER prompts the security team to create a corresponding Risk Register entry documenting the threat, its likelihood and impact, and the risk treatment decision. The risk record links back to the ITDR alert, creating a bidirectional reference. If the same identity threat pattern reoccurs, the analyst can see the historical alert and risk record and make a better-informed decision on whether to escalate the treatment strategy.