icon-itdr.svg
ITDR

Release Upgrade Summary (2025)

This article provides a summary of all new features and enhancements for Zscaler ITDR. To see scheduled maintenance updates for your cloud, visit the Trust Portal.


The following service updates were deployed to illusionblack.com on the following dates.

March 05, 2025
  • Feature Available
    • Active Directory and Entra ID Scan Delta Reports

      The Delta Report feature enables you to effectively monitor changes in Active Directory (AD) domains and Entra ID tenants. This feature streamlines the process of monitoring, tracking, and responding to security posture changes over time.

      You can automatically compare two historical scans and download the delta report to identify newly introduced risks, resolved issues, and updates to the existing risks. You can download these delta reports in PDF or Excel formats for offline review, collaboration, and efficient remediation.

      To learn more, see Downloading the Active Directory Delta Report and Downloading the Entra ID Delta Report.

    • Copying Columns from Tables

      You can copy specific columns from tables (up to 1,000 rows) and paste them into CSV, JSON, Notepad, or other compatible files across various modules (Identity Posture, Entra ID, Credential Exposure, Change Detection, etc.) in the ITDR Admin Portal.

      To learn more, see Using Tables.

    • Endpoint Credential Exposure Enhancements

      The following enhancements are made to the Endpoint Credential Exposure module:

      • The following sections were added to the Endpoint Credential Exposure dashboard (ITDR > Dashboard > Endpoint Credential Exposure):

        • Domain risk category or severity level (Critical, High, Medium, Low, etc.).
        • Details of the top 5 credential exposure issues that exist on your endpoints.
        • Credential exposure issues categorized by severity in a bar chart.
        • Credential exposure issues categorized by risk in a donut chart.
        • Risk Reduction Roadmap.

        To learn more, see About the Endpoint Credential Exposure Dashboard.

      • The Detailed Findings page (ITDR > Dashboard > Endpoint Credential Exposure > Detailed Findings) was added. This page shows all the exposed credential issues on your endpoints. You can view additional details about each issue and recommendations to further investigate and remediate the issue.

        To learn more, see Viewing the Viewing Exposed Endpoint Credential Detailed Findings and Recommendations Details.

      • The following scan or exposure types were added:
        • Windows OOBE Priv Esc
        • Windows OOBE Files
        • Unmanaged Local Admins
      • The following scan or exposure types were removed:
        • Browser cookies - Removed
        • Saved Browser Credentials
        • LSASS Application secrets
        • LSASS Login Sessions
        • Insecure UAC Settings
        • Active Sessions
        • Recent Run Commands
        • Recent Powershell Commands
        • Certificate Files
      • The Cached Domain Logon Credentials scan or exposure type supports the credential cleanup feature.

        To learn more, see Viewing Exposed Endpoint Credential Details by Scan Type and Cleaning Up Exposed Endpoint Credentials.

      • The Severity column was removed from the table on the Identities page (ITDR > Dashboard > Endpoint Credential Exposure > Identities).

        To learn more, see Viewing Identities with Exposed Endpoint Credentials.

      • You can filter issues by severity level on the Detailed Findings, MITRE ATT&CK Exposure, and Privilege Escalation Path pages.

    • Entra ID Remediations

      The Entra ID Remediation Action feature allows you to automatically run remediation actions for risky Entra ID identities from the Zscaler ITDR Admin Portal, enhancing the Entra ID tenant security posture. You can run remediation actions for specific or multiple identities (in bulk).

      The following remediation actions are available:

      • Disable User
      • Revoke Session
      • Enforce MFA
      • Enforce MFA or phishing-resistant MFA
      • Remove Active Role Assignment
      • Remove Group Membership

      To learn more, see Running Remediation Actions for Microsoft Entra ID Issues.

      After remediation, you can view remediation logs that provide actionable insights with additional details such as remediation action details, impacted identity, timestamp, remediation status, etc.

      You can add or remove permissions for running remediation actions while deploying a script in the Azure portal.

      To learn more, see Connecting an Entra ID Tenant with the Zscaler ITDR Admin Portal.

    • Export Event Fields in JSON

      ITDR supports exporting event fields in JSON format. You can export all the event fields and use them for further analysis and investigation.

      To learn more, see Exporting Event Logs.

    • Integration with Amazon GuardDuty

      Zscaler ITDR supports integration with Amazon GuardDuty to isolate and contain attackers who interact with decoys by blocking access to those users across AWS resources.

    • Risk Reduction Roadmap

      The Risk Reduction Roadmap feature provides a proactive security approach to enhance the security posture of your identity infrastructure, including Active Directory (AD), Entra ID, and endpoints.

      An interactive in the Risk Reduction Roadmap section on the dashboard enables you to assess the current domain risk severity (Critical, High, Medium, or Low), and set a target severity level to systematically lower the domain risk.

      After the target severity level is set, ITDR provides an actionable and prioritized risk and remediation roadmap. This roadmap helps you identify, prioritize, and remediate issues, ensuring a structured approach to improving the security posture of your identity infrastructure.

      To learn more, see Viewing the Active Directory Risk Reduction Roadmap, Viewing the Entra ID Risk Reduction Roadmap, and Viewing the Exposed Endpoint Credential Risk Reduction Roadmap.

    • ZPA Containment Support for ZIdentity-Enabled Tenants

      Support for containment with Zscaler Private Access (ZPA) is extended to ZIdentity-enabled tenants. If a user is contained with ZPA, then real apps become inaccessible and only app decoys remain accessible.

      To learn more, see Containment Configuration Guide for Zscaler Private Access (ZPA).

  • Feature in Limited Availability
    • Active Directory Monitoring with Server Agent

      The ITDR server agent monitors Active Directory (AD) users and computer activities, providing insights to help you quickly address identity-based threats. You can download the server agent directly from the ITDR Admin Portal and run the installation command to complete the setup.

      To learn more, see About Server Agents.

      Session Tracking

      You can enable session tracking in the server agent policy to monitor logon activities for all AD administrators and privileged accounts. The server agent collects activity logs and displays the details on the Summary and Session Tracking pages (ITDR > Identity Posture > Top 10 Users & Computers). This feature helps you to identify any anomalous user activity.

      To learn more, see Viewing Affected Active Directory User Account Details.

      Password Analysis

      You can enable and configure password analysis in the server agent policy to identify compromised or weak passwords by checking hashes against leaked databases, common patterns, and custom dictionaries while also monitoring for password reuse or rotation. The analysis is done locally on the selected domain controller (DC) and does not leave the customer environment, ensuring security and compliance. The password analysis details are displayed on the Password Analysis Dashboard (ITDR > Dashboard > Password Analysis).

      To learn more, see About Password Analysis.

Related Articles
Release Upgrade Summary (2025)Release Upgrade Summary (2024)Release Upgrade Summary (2023)