Microsoft Defender for Identity (MDI)

m365-azureAuthentication & AccessSIEM / Log AggregatorCloud Admin Portal

Location

Microsoft 365 Defender Portal > Identities > Health & Alerts (or Microsoft Graph Security API)

Description

Identity threat detection system monitoring on-premises Active Directory traffic via domain controller sensors. Detects credential-based attacks including Kerberoasting, DCSync, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, and reconnaissance activities.

Forensic Value

MDI detects identity-based attacks that cloud-only logs cannot see because it monitors Active Directory network traffic directly on domain controllers. DCSync detection identifies unauthorized replication of password hashes. Kerberoasting alerts reveal service ticket harvesting for offline cracking. Lateral movement path analysis maps how an attacker could reach high-value targets. Reconnaissance detection identifies LDAP queries, SAM-R enumeration, and DNS reconnaissance that precede lateral movement.

Tools Required

Microsoft 365 Defender PortalMicrosoft Graph Security APIPowerShellSIEM (Sentinel)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical