Microsoft Defender for Identity (MDI)
Location
Microsoft 365 Defender Portal > Identities > Health & Alerts (or Microsoft Graph Security API)Description
Identity threat detection system monitoring on-premises Active Directory traffic via domain controller sensors. Detects credential-based attacks including Kerberoasting, DCSync, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, and reconnaissance activities.
Forensic Value
MDI detects identity-based attacks that cloud-only logs cannot see because it monitors Active Directory network traffic directly on domain controllers. DCSync detection identifies unauthorized replication of password hashes. Kerberoasting alerts reveal service ticket harvesting for offline cracking. Lateral movement path analysis maps how an attacker could reach high-value targets. Reconnaissance detection identifies LDAP queries, SAM-R enumeration, and DNS reconnaissance that precede lateral movement.
Tools Required
Collection Commands
Graph API
GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftDefenderForIdentity' and createdDateTime ge 2024-01-01T00:00:00Z&$top=100
KQL
IdentityDirectoryEvents | where Timestamp > ago(30d) | where ActionType in ("Account enumeration reconnaissance","Security principal reconnaissance") | project Timestamp, ActionType, AccountName, TargetAccountDisplayName, DeviceNameKQL
IdentityLogonEvents | where Timestamp > ago(7d) | where LogonType == "Failed" | summarize FailCount=count() by AccountName, DeviceName | where FailCount > 10 | sort by FailCount desc