1.5 Mitigate Threats Using Microsoft Defender for Identity

10-14 hours · Module 1 · Free

Mitigate Threats Using Microsoft Defender for Identity

SC-200 Exam Objective

Domain 3 — Manage Incident Response: "Investigate and remediate security alerts from Microsoft Defender for Identity."

Introduction

Defender for Identity monitors on-premises Active Directory environments by analyzing traffic from domain controllers. It detects reconnaissance, credential theft, lateral movement, and domain dominance attacks that target Active Directory — the identity backbone of most enterprise environments.

This subsection teaches you what Defender for Identity detects, how its alerts appear in the XDR incident queue, and how to investigate and respond to identity-based threats. If your environment is cloud-only (Entra ID with no on-premises AD), Defender for Identity is less relevant — but most enterprise environments still have hybrid identity infrastructure.

What Defender for Identity detects

Defender for Identity sensors install on domain controllers and analyze authentication traffic, LDAP queries, DNS lookups, and replication requests. This gives it visibility into attack techniques that no other Defender product can see:

Attack phase	Technique	How Defender for Identity detects it
Reconnaissance	LDAP enumeration, DNS zone transfer, account enumeration	Unusual LDAP query patterns from non-standard sources
Credential theft	Kerberoasting, AS-REP roasting, DCSync	Abnormal Kerberos ticket requests, replication requests from non-DC sources
Lateral movement	Pass-the-hash, pass-the-ticket, overpass-the-hash	Authentication anomalies: NTLM where Kerberos expected, ticket reuse from different IPs
Privilege escalation	SID-history injection, domain controller promotion	Unauthorized changes to sensitive group memberships or directory services
Domain dominance	Golden ticket, skeleton key, DCShadow	Forged Kerberos tickets, rogue domain controller registration

Investigation workflow for identity alerts

When an identity alert appears in the XDR incident:

Read the alert details — Defender for Identity provides a narrative explaining the detected behavior, the source device, the target accounts, and the MITRE ATT&CK mapping
Check the lateral movement path — the portal shows graphically how the attacker could move from the compromised account to high-value targets (domain admins)
Correlate with other products — did the identity alert coincide with an endpoint alert (malware running the credential theft tool) or an email alert (phishing that delivered the tool)?
Response actions — disable the compromised account in AD, force password reset, investigate the source device for the tool that performed the attack

1
2
3
4
5
6
7
8
// Investigate identity reconnaissance from Advanced Hunting
IdentityQueryEvents
| where Timestamp > ago(24h)
| where ActionType == "LDAP query"
| summarize QueryCount = count(), UniqueQueries = dcount(Query)
    by DeviceName, AccountUpn
| where QueryCount > 100
| order by QueryCount desc

Expected Output

DeviceName	AccountUpn	QueryCount	UniqueQueries
DESKTOP-NGE042	j.morrison@...	347	12

What to look for: 347 LDAP queries from a standard user workstation is abnormal. Normal users do not run LDAP enumeration. This pattern indicates either a reconnaissance tool (BloodHound, AdFind) running on the device, or an attacker using the compromised account to map the AD environment before lateral movement.

Check your understanding

1. Defender for Identity detects a Kerberoasting attempt. What is the attacker trying to achieve, and where do you investigate next?

Kerberoasting requests service tickets for accounts with SPNs, then cracks the tickets offline to obtain the service account passwords. The attacker wants credentials for lateral movement. Investigate: which service accounts were targeted? Check those accounts for suspicious logon activity. Check the source device for credential theft tools (pivot to Defender for Endpoint device timeline).

The attacker is trying to access Kerberos-protected files

This is a denial-of-service attack against AD

Kerberoasting is a credential-harvesting technique. The attacker requests Kerberos tickets for service accounts, exports them, and cracks them offline — no network traffic during the cracking phase. By the time you detect the ticket request, the attacker may already have the password. Check all targeted service accounts for post-compromise activity immediately.

← 1.4 Manage Microsoft Defender for Endpoint Investigations 1.6 Secure Cloud Apps with Microsoft Defender for Cloud Apps →