1. Defender for Identity (MDI) & On-Premises Security

  • The Sensor: Installed directly on Domain Controllers and AD FS servers. It parses network traffic (RPC, LDAP, Kerberos) and Windows Events to detect threats that bypass traditional logs.
  • Detection Categories:
    • Reconnaissance: Enumeration of users/groups, DNS reconnaissance, and SMB session enumeration.
    • Lateral Movement: Pass-the-Ticket, Pass-the-Hash, and malicious service creation.
    • Domain Dominance: Skeleton Key, Golden Ticket, and Malicious Data Protection API (DPAPI) requests.
  • Identity Security Posture (ISPM): Integrated into Microsoft Secure Score to identify legacy protocols (NTLMv1), unsecure account attributes, and clear-text password exposures.

2. Microsoft Defender XDR (Unified Correlation)

  • The Incident View: Automatically correlates isolated alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into a single Incident. This reduces alert fatigue by grouping the “story” of an attack (e.g., Phish -> Compromised User -> Lateral Movement -> Data Exfiltration).
  • Signal Sharing: Enabling “Microsoft Defender XDR integration” allows different workloads to share signals. For example, if a device is marked as “High Risk” by MDE, Entra ID can automatically block that user’s sign-in via Conditional Access.
  • The Unified Portal: Centralizes all security operations (security.microsoft.com), replacing the legacy per-product admin centers.

3. Automated Investigation and Response (AIR)

  • Cross-Product Playbooks: When an incident triggers, AIR executes playbooks that span workloads. It can simultaneously quarantine an email (O365), isolate a device (Endpoint), and disable a compromised user (Identity).
  • Evidence & Entity Center: Provides a unified list of all files, processes, URLs, and accounts involved in an investigation, allowing for a “one-click” remediation across the entire environment.
  • Action Center: The single pane of glass for approving or auditing all automated remediation actions.

4. Advanced Hunting (KQL)

  • The Schema: Use Kusto Query Language (KQL) to query raw data across all Defender workloads.
    • IdentityLogonEvents: Tracks all authentication attempts across on-prem and cloud.
    • IdentityDirectoryEvents: Tracks changes to AD objects (e.g., group membership changes, password resets).
  • Proactive Hunting: Go beyond alerts by searching for “Indicators of Attack” (IoA) that haven’t triggered a formal alert yet, such as suspicious PowerShell execution patterns or unusual cross-domain traffic.

5. Microsoft Sentinel Integration

  • The SIEM/SOAR Connection: While Defender XDR handles the Microsoft stack, Sentinel provides the broader view (firewalls, third-party clouds, multi-vendor logs).
  • Defender XDR Connector: Use the bi-directional sync connector to ensure that closing an incident in Sentinel also closes it in the Defender portal, and vice versa.

6. Essential PowerShell & Diagnostic Tools

  • MDI Sensor Management:
    • Test-MdiSensorApiConnection.ps1: (Bundled with the sensor) Validates that the Domain Controller can reach the MDI cloud service.
  • KQL Query Example (Advanced Hunting Portal):
    // Find users who had a failed logon followed by a successful one from a different IP
IdentityLogonEvents
| where ActionType == "LogonFailed"
| join kind=inner (IdentityLogonEvents | where ActionType == "LogonSuccess") on AccountObjectId
| where IPAddress != IPAddress1
  • Microsoft Defender for Identity Health: Monitor the “Health Issues” tab in the portal specifically for “Packet fragmentation” or “Dropped events” which indicate the DC is overloaded or the sensor is misconfigured.