Microsoft Defender for Identity (MDI)
Location
Microsoft 365 Defender Portal > Identities > Health & Alerts (or Microsoft Graph Security API)Description
Identity threat detection system monitoring on-premises Active Directory traffic via domain controller sensors. Detects credential-based attacks including Kerberoasting, DCSync, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, and reconnaissance activities.
Forensic Value
MDI detects identity-based attacks that cloud-only logs cannot see because it monitors Active Directory network traffic directly on domain controllers. DCSync detection identifies unauthorized replication of password hashes. Kerberoasting alerts reveal service ticket harvesting for offline cracking. Lateral movement path analysis maps how an attacker could reach high-value targets. Reconnaissance detection identifies LDAP queries, SAM-R enumeration, and DNS reconnaissance that precede lateral movement.