This chapter covers Microsoft Defender for Identity (MDI) alert categories—a critical topic for the SC-200 exam, as it tests your ability to classify and respond to identity-based threats. Understanding these categories is essential for using MDI effectively in a Microsoft 365 Defender environment. Approximately 10-15% of exam questions touch on MDI alert categories, often asking you to identify the correct category for a given attack scenario or to interpret alert details in the portal.
Jump to a section
Imagine a secure facility with a central guard tower that monitors all activity. The tower uses multiple types of sensors: motion detectors, door contact sensors, glass-break sensors, and smoke detectors. Each sensor type generates specific alerts. A motion detector triggers a 'Movement Detected' alert; a glass-break sensor triggers a 'Potential Break-In' alert. The guard in the tower does not treat all alerts equally. A 'Movement Detected' alert during business hours might be a false positive (employees walking), while a 'Glass Break' alert at 3 AM triggers an immediate response. The guard categorizes alerts by severity and type to prioritize: 'Break-In' alerts are critical, 'Door Left Open' is moderate, 'Low Battery' is informational. Similarly, Microsoft Defender for Identity (MDI) monitors on-premises Active Directory traffic using sensors that detect specific suspicious activities. Each activity is categorized into an alert category—such as Lateral Movement, Credential Theft, or Privilege Escalation—allowing security analysts to prioritize and respond appropriately. Just as the guard tower has predefined rules for each sensor type, MDI has predefined detection rules that map network events to alert categories. The guard's logbook records each alert with its category, timestamp, and severity, enabling trend analysis and forensic investigation. In MDI, the Microsoft 365 Defender portal provides a unified view with filtering by alert category, severity, and time, helping analysts focus on the most critical threats first.
What Are Defender for Identity Alert Categories?
Microsoft Defender for Identity (MDI) is a cloud-based security solution that identifies, detects, and investigates advanced threats targeting on-premises Active Directory (AD) environments. MDI uses sensors deployed on domain controllers and AD FS servers to capture and analyze network traffic, Windows events, and authentication logs. When MDI detects suspicious activity, it generates an alert. Each alert belongs to a specific category that describes the type of attack or anomaly. The categories are part of the alert schema in Microsoft 365 Defender, and they help analysts quickly understand the nature of the threat and prioritize response.
Why Alert Categories Matter for SC-200
On the SC-200 exam, you will be asked to interpret MDI alerts, determine the correct category for a given scenario, and use categories to filter and investigate incidents. The exam focuses on the following categories:
Lateral Movement
Credential Theft
Privilege Escalation
Malicious Activity
Reconnaissance
Suspicious Activity
Each category has specific subcategories or detection types. For example, under Lateral Movement, you might see 'Pass-the-Hash' or 'Overpass-the-Hash'. The exam expects you to know these subcategories and the underlying attack techniques.
How MDI Classifies Alerts
MDI uses a combination of behavioral analytics, signature-based detection, and machine learning to classify alerts. The process involves:
Data Collection: MDI sensors capture network packets (e.g., Kerberos, NTLM, LDAP) and Windows Event Logs (e.g., 4624, 4625, 4776).
Feature Extraction: The sensor extracts key attributes such as source IP, destination IP, account name, protocol, and timestamps.
Detection Engine: The engine compares extracted features against known attack patterns (e.g., using a specific NTLM hash for multiple logins) and behavioral baselines (e.g., unusual VPN connection from a new location).
Alert Generation: If a match is found, an alert is created with a category based on the attack technique. For instance, if the detection engine observes a Kerberos ticket request with a forged PAC, it categorizes the alert as 'Privilege Escalation' (specifically 'Golden Ticket').
Detailed Alert Categories
#### Lateral Movement
Lateral movement alerts indicate that an attacker is moving from one compromised system to another within the network. Common techniques include:
Pass-the-Hash (PtH): Using an NTLM hash to authenticate as another user without knowing the plaintext password. MDI detects this by correlating multiple authentication attempts from different systems using the same hash.
Overpass-the-Hash (OPtH): Using an NTLM hash to request a Kerberos ticket. MDI detects this by identifying Kerberos AS-REQ or TGS-REQ messages that use an NTLM hash instead of a password.
Pass-the-Ticket (PtT): Using a stolen Kerberos ticket to authenticate. MDI detects this by observing a Kerberos TGS-REQ with a ticket that was originally issued to a different system.
Remote Desktop Protocol (RDP) Brute Force: Multiple failed RDP logins followed by a successful login from an unusual source.
#### Credential Theft
Credential theft alerts involve attacks aimed at stealing user credentials, such as passwords, hashes, or tickets. Examples:
DCSync Attack: An attacker impersonates a domain controller and requests replication of password hashes. MDI detects this by monitoring Directory Replication Service (DRS) protocols (GetNCChanges) and comparing the requesting account against a baseline of authorized replication accounts.
Credential Theft via LSASS Dumping: An attacker uses tools like Mimikatz to dump credentials from LSASS memory. MDI detects this by monitoring event ID 4656 (handle to LSASS) or suspicious process creation (e.g., procdump.exe).
NTLM Relay: An attacker intercepts an NTLM authentication and relays it to another service. MDI detects this by analyzing NTLM authentication patterns and correlating them with other network events.
#### Privilege Escalation
Privilege escalation alerts indicate that an attacker is trying to gain higher-level permissions. Key detections:
Golden Ticket: An attacker forges a Kerberos Ticket Granting Ticket (TGT) with arbitrary privileges. MDI detects this by analyzing Kerberos TGT requests and looking for anomalies such as unusual ticket duration (default 10 hours) or a ticket that contains unknown SIDs.
Silver Ticket: An attacker forges a service ticket to access a specific service. MDI detects this by inspecting Kerberos service tickets and comparing them against legitimate tickets.
MS14-068 Exploit: An attacker uses a vulnerability in Kerberos to forge a PAC and escalate privileges. MDI detects this by checking for specific PAC validation failures.
#### Malicious Activity
Malicious activity alerts cover a broad range of known malware and attack tools. Examples:
Malware Detected: MDI integrates with Microsoft Defender Antivirus and other security products to detect malware on domain controllers.
Suspicious Service Creation: An attacker creates a service to maintain persistence. MDI detects this by monitoring event ID 4697 (service creation) and comparing it against a baseline of normal service creation.
WMI Persistence: An attacker uses WMI to execute malicious code. MDI detects this by monitoring WMI event creation and correlating with suspicious process activity.
#### Reconnaissance
Reconnaissance alerts indicate that an attacker is gathering information about the network. Examples:
Directory Enumeration: An attacker uses LDAP queries to enumerate users, groups, or computers. MDI detects this by analyzing LDAP search requests and flagging unusual patterns (e.g., querying all user objects).
DNS Reconnaissance: An attacker uses DNS queries to map the network. MDI detects this by monitoring DNS query patterns and comparing them to baselines.
SMB Session Enumeration: An attacker uses SMB to list shares or sessions. MDI detects this by analyzing SMB traffic and flagging large numbers of session enumeration requests.
#### Suspicious Activity
Suspicious activity alerts are for behaviors that may not match known attack patterns but deviate from normal behavior. Examples:
Unusual VPN Connection: A user connects from a new location or at an unusual time. MDI uses machine learning to establish a baseline of normal user behavior and flags deviations.
Anomalous Kerberos Traffic: An increase in Kerberos ticket requests from a single source. MDI uses statistical analysis to detect anomalies.
Suspicious Account Lockout: Multiple account lockouts in a short period. MDI correlates lockout events (4740) with authentication attempts.
Alert Severity and Status
Each alert also has a severity level:
High: Critical threats that require immediate investigation (e.g., Golden Ticket, DCSync).
Medium: Suspicious activities that should be investigated (e.g., Pass-the-Hash, unusual VPN).
Low: Informational alerts that may indicate misconfigurations or benign anomalies (e.g., directory enumeration by a legitimate admin tool).
Alerts can have statuses: New, In Progress, Resolved, Dismissed, and Acknowledged.
Viewing and Managing Alerts
In the Microsoft 365 Defender portal (security.microsoft.com), navigate to Incidents & Alerts > Alerts. Use the filter options to display alerts by category, severity, or detection source. For example, to see all Lateral Movement alerts, filter by 'Lateral Movement' in the category field. You can also use the Microsoft 365 Defender APIs to programmatically retrieve alerts.
Integration with Microsoft 365 Defender
MDI alerts are automatically correlated with alerts from other Microsoft 365 Defender components (Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps) to form incidents. When investigating an incident, you can see all related alerts grouped by attack story. The alert category helps determine the attack phase (e.g., lateral movement is part of the 'Lateral Movement' phase in the MITRE ATT&CK framework).
Configuration and Tuning
You can configure alert exclusions to reduce noise. For example, if a legitimate vulnerability scanner triggers Reconnaissance alerts, you can exclude its IP address. To do this, go to Settings > Identities > Alert exclusions. You can also adjust sensitivity for certain detections (e.g., set the threshold for account lockout alerts).
Key Numbers and Defaults
Default Kerberos ticket lifetime: 10 hours. Alerts for Golden Ticket often check for tickets with lifetimes significantly longer than 10 hours.
DCSync detection: MDI monitors the GetNCChanges DRSUAPI call. By default, only domain controllers should make this call. Any other account triggers an alert.
Pass-the-Hash detection: MDI correlates NTLM authentication events across multiple source IPs using the same hash within a short time window (default 5 minutes).
Verification Commands
While MDI is a cloud service, you can verify sensor health using PowerShell on the sensor machine:
Get-Service AzureAdvancedThreatProtectionSensorTo check if the sensor is sending data, review the sensor log at %ProgramFiles%\Azure Advanced Threat Protection Sensor\Version X\Logs\Microsoft.Tri.Sensor.log.
Interaction with Related Technologies
MDI alerts feed into:
Microsoft 365 Defender: Alerts are correlated with Defender for Endpoint and other components.
Azure Sentinel: You can stream MDI alerts to Azure Sentinel via the Microsoft 365 Defender connector.
Microsoft Defender for Cloud Apps: MDI alerts can be integrated to provide context for cloud app sessions.
Understanding alert categories is crucial for effective threat hunting and incident response. The SC-200 exam will test your ability to map attack techniques to the correct category and use the portal to investigate.
Deploy MDI Sensor on Domain Controller
The MDI sensor is installed on each domain controller (and optionally AD FS servers). It captures network traffic using WinPcap or Npcap, and reads Windows Event Logs. The sensor forwards parsed data to the MDI cloud service. Ensure the sensor has network connectivity to the MDI service endpoints (e.g., *.atp.azure.com). Verify installation by checking the service status: Get-Service AzureAdvancedThreatProtectionSensor. The sensor uses port 443 for outbound communication. If the sensor fails to start, check the log file for errors.
Configure Data Sources and Event Collection
MDI requires specific Windows Event Logs to be enabled: 4776 (NTLM authentication), 4624 (logon), 4625 (failed logon), 4648 (explicit logon), 4672 (special privileges assigned), and 4697 (service creation). Use Group Policy or Advanced Audit Policy to enable these audit events. For example, enable 'Audit Logon' and 'Audit Account Logon' for success and failure. Without these events, MDI cannot detect many attacks like Pass-the-Hash. Verify event collection by checking the sensor log for 'EventLogReader' entries.
Monitor Alerts in Microsoft 365 Defender
Navigate to Microsoft 365 Defender portal (security.microsoft.com). Go to Incidents & Alerts > Alerts. Filter by detection source 'Microsoft Defender for Identity'. Review the alert list. Each alert shows category, severity, time, and associated entities (user, device, IP). Click on an alert to see detailed information, including the attack timeline and evidence. For example, a Lateral Movement alert might show the source and destination computers and the user account used.
Investigate Alert Using Attack Timeline
Open an alert to view the attack timeline. The timeline shows chronological events leading to the alert. For a Pass-the-Hash alert, you might see: 1) User A logs into Computer X (legitimate), 2) Later, from Computer Y, the same hash is used to authenticate as User A. You can click on each event for details. Use the timeline to understand the attack path and identify affected accounts and machines. This helps determine the scope of compromise.
Respond and Remediate Based on Alert Category
Based on the alert category, take appropriate action. For Credential Theft (e.g., DCSync), immediately reset the compromised account's password and disable the account if needed. For Lateral Movement (e.g., Pass-the-Hash), isolate the compromised machine and investigate other machines that may have been accessed. For Privilege Escalation (e.g., Golden Ticket), reset the KRBTGT account password twice (to invalidate all Kerberos tickets). Document the incident and update alert status to 'Resolved' after remediation.
Scenario 1: DCSync Attack in a Large Enterprise
A multinational company with 500 domain controllers deploys MDI to protect its Active Directory. One day, MDI generates a 'Credential Theft' alert for a DCSync attack. The alert shows that a non-domain controller server (SQL01) is making GetNCChanges requests. The security team investigates and finds that SQL01 was compromised via an unpatched vulnerability. The attacker used Mimikatz to perform DCSync and stole hashes of all domain admin accounts. The team immediately resets the KRBTGT password twice and all domain admin passwords. They also isolate SQL01 and restore it from a clean backup. The alert category helped prioritize the incident as critical. Performance considerations: MDI sensors on each DC must handle high traffic; ensure sensors have sufficient CPU and memory (minimum 2 cores, 6 GB RAM). Misconfiguration: If event logs are not properly enabled, DCSync might not be detected. The team learned to audit all DCs for required audit settings.
Scenario 2: Pass-the-Hash Detection in a Healthcare Organization
A hospital with 50 domain controllers uses MDI to detect lateral movement. An alert for 'Pass-the-Hash' appears, showing that a user account 'jsmith' is authenticating from multiple workstations within a short time. The security team sees that the hash was captured from a compromised workstation in the radiology department. They isolate the workstation and reset jsmith's password. They also check other workstations for similar activity. The alert category 'Lateral Movement' helped them understand that the attacker was moving laterally. Common pitfall: False positives can occur if a user legitimately uses multiple machines (e.g., IT admin). To reduce noise, the team excludes known administrative IPs from alerting. Scale: With 50 DCs, the MDI cloud service processes millions of events daily; the team uses the category filter to focus on high-severity alerts.
Scenario 3: Golden Ticket Detection in a Financial Institution
A bank with 200 domain controllers detects a 'Privilege Escalation' alert for a Golden Ticket. The alert shows a Kerberos TGT with a lifetime of 48 hours (default is 10). The attacker used a forged ticket to access sensitive financial systems. The security team immediately resets the KRBTGT account password twice, which invalidates all existing tickets. They also review all recent Kerberos ticket requests to find the initial compromise. The alert category 'Privilege Escalation' guided them to the correct remediation. Performance: MDI sensors use machine learning to baseline normal ticket lifetimes; any deviation triggers an alert. Misconfiguration: If the sensor fails to parse Kerberos traffic (e.g., due to network encryption), Golden Ticket detection may be missed. The bank ensures that the sensor has the Network Service account with appropriate permissions to read network traffic.
Exactly What SC-200 Tests on MDI Alert Categories
The SC-200 exam objective 1.2 'Respond to threats using Microsoft Defender for Identity' includes: 'Interpret alerts generated by Microsoft Defender for Identity' and 'Identify the category of an alert based on the attack technique.' Questions may present a scenario (e.g., 'An attacker uses a stolen NTLM hash to authenticate to multiple servers. Which alert category does this belong to?') and ask you to choose the correct category from a list. Common category names tested: Lateral Movement, Credential Theft, Privilege Escalation, Reconnaissance, Malicious Activity, and Suspicious Activity. Subcategories like 'Pass-the-Hash', 'DCSync', 'Golden Ticket' are also tested. You must know which subcategory maps to which category.
Most Common Wrong Answers and Why
Confusing Lateral Movement with Credential Theft: Candidates often think Pass-the-Hash is credential theft because it uses stolen credentials. However, PtH is a lateral movement technique because the attacker uses the hash to move between machines. The key is: credential theft is about *acquiring* credentials; lateral movement is about *using* them to access other systems.
Mistaking Golden Ticket for Credential Theft: Golden Ticket is a forged ticket that grants arbitrary privileges, so it is Privilege Escalation, not Credential Theft. Credential theft would be stealing a password or hash, not forging a ticket.
Thinking DCSync is Reconnaissance: DCSync is actually a credential theft technique because it steals password hashes. Reconnaissance is about gathering information without stealing credentials (e.g., LDAP enumeration).
Overlooking Severity: The exam may ask about severity levels. High severity includes Golden Ticket, DCSync, and other critical attacks. Medium includes Pass-the-Hash. Low includes reconnaissance by admin tools.
Specific Numbers, Values, and Terms
Default Kerberos ticket lifetime: 10 hours. Alerts for Golden Ticket often involve tickets with lifetime > 10 hours.
DCSync detection: MDI monitors the GetNCChanges DRSUAPI call. Only domain controllers should make this call.
Pass-the-Hash detection window: Default 5 minutes for correlating multiple authentications with the same hash.
Event IDs: 4776 (NTLM), 4624 (logon), 4625 (failed logon), 4672 (privilege assigned), 4697 (service creation).
Edge Cases and Exceptions
False positives: Legitimate tools like vulnerability scanners may trigger Reconnaissance alerts. You can exclude them by IP.
Network encryption: If Kerberos traffic is encrypted (e.g., using IPsec), MDI may not detect some attacks. Ensure sensors can read plaintext traffic.
Multiple sensors: If you have multiple domain controllers, alerts are correlated across all sensors. A single attack may generate multiple alerts; they are merged into one incident.
How to Eliminate Wrong Answers
Focus on the attack action: Is the attacker stealing, using, or elevating? Stealing = Credential Theft. Using = Lateral Movement. Elevating = Privilege Escalation. Gathering info = Reconnaissance.
Check the MITRE ATT&CK technique: SC-200 aligns with MITRE. For example, T1550.002 (Pass-the-Hash) is Lateral Movement, T1003.006 (DCSync) is Credential Theft, T1558.001 (Golden Ticket) is Privilege Escalation.
Remember the category hierarchy: Subcategories are children of the main category. If you know the subcategory, you can derive the category.
MDI alert categories: Lateral Movement, Credential Theft, Privilege Escalation, Reconnaissance, Malicious Activity, Suspicious Activity.
Pass-the-Hash is Lateral Movement; DCSync is Credential Theft; Golden Ticket is Privilege Escalation.
Default Kerberos ticket lifetime is 10 hours; Golden Ticket alerts often involve longer lifetimes.
DCSync detection monitors GetNCChanges DRSUAPI calls; only domain controllers should make these calls.
Pass-the-Hash detection correlates NTLM authentications from different IPs within a 5-minute window.
Event IDs critical for MDI: 4776, 4624, 4625, 4672, 4697.
Alerts are correlated into incidents in Microsoft 365 Defender with other Defender components.
Severity levels: High (Golden Ticket, DCSync), Medium (Pass-the-Hash), Low (Reconnaissance by admin tools).
Alert exclusions can be configured to reduce false positives from legitimate tools.
Always reset KRBTGT password twice to invalidate all Kerberos tickets after a Golden Ticket attack.
These come up on the exam all the time. Here's how to tell them apart.
Lateral Movement
Involves using stolen credentials to move between systems.
Examples: Pass-the-Hash, Overpass-the-Hash, Pass-the-Ticket.
Detected by correlating authentication events from different source IPs.
Severity typically Medium.
MITRE ATT&CK: TA0008 (Lateral Movement).
Credential Theft
Involves stealing credentials (hashes, tickets, passwords).
Examples: DCSync, LSASS dumping, NTLM relay.
Detected by monitoring replication protocols or process access.
Severity typically High.
MITRE ATT&CK: TA0006 (Credential Access).
Mistake
Pass-the-Hash is a credential theft technique.
Correct
Pass-the-Hash is a lateral movement technique. The attacker uses a stolen hash to move to another system, not to steal it. Credential theft techniques include DCSync and LSASS dumping.
Mistake
Golden Ticket alerts belong to the Credential Theft category.
Correct
Golden Ticket alerts belong to Privilege Escalation because the attacker forges a ticket to gain elevated privileges. Credential theft involves stealing existing credentials, not forging new ones.
Mistake
DCSync is a reconnaissance technique.
Correct
DCSync is a credential theft technique because it steals password hashes from a domain controller. Reconnaissance techniques gather information without stealing credentials, like LDAP enumeration.
Mistake
All MDI alerts have high severity.
Correct
MDI alerts have three severity levels: High (e.g., Golden Ticket), Medium (e.g., Pass-the-Hash), and Low (e.g., reconnaissance by admin tools). Only critical threats are high severity.
Mistake
MDI alerts are standalone and not correlated with other Defender alerts.
Correct
MDI alerts are automatically correlated with alerts from Defender for Endpoint, Office 365, and Cloud Apps in Microsoft 365 Defender to form incidents. This provides a unified view of the attack.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The main categories are Lateral Movement, Credential Theft, Privilege Escalation, Reconnaissance, Malicious Activity, and Suspicious Activity. Each category covers specific attack techniques. For example, Lateral Movement includes Pass-the-Hash and Pass-the-Ticket; Credential Theft includes DCSync and LSASS dumping; Privilege Escalation includes Golden Ticket and Silver Ticket. These categories help analysts quickly classify and prioritize alerts.
MDI monitors the Directory Replication Service (DRS) protocol, specifically the GetNCChanges RPC call. Only domain controllers should initiate this call. If any other computer or account makes a GetNCChanges request, MDI generates a Credential Theft alert. The alert includes the source IP, the requesting account, and the target domain. This detection is critical because DCSync allows an attacker to steal all password hashes from Active Directory.
Both are Privilege Escalation alerts. A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) that grants domain admin privileges. A Silver Ticket is a forged service ticket that grants access to a specific service (e.g., CIFS, HTTP). MDI detects Golden Tickets by analyzing TGT requests for anomalies like unusually long ticket lifetimes or unknown SIDs. Silver Tickets are detected by inspecting service tickets for discrepancies in the Privilege Attribute Certificate (PAC).
No. Pass-the-Hash relies on NTLM authentication. If NTLM is disabled in the domain, MDI cannot detect Pass-the-Hash via NTLM traffic. However, MDI can detect Overpass-the-Hash, which uses an NTLM hash to request a Kerberos ticket. So even with NTLM disabled, MDI can still detect some forms of hash-based attacks. The sensor must be able to capture Kerberos traffic for Overpass-the-Hash detection.
Navigate to the Microsoft 365 Defender portal (security.microsoft.com). Go to Incidents & Alerts > Alerts. Use the filter panel to set 'Detection source' to 'Microsoft Defender for Identity'. You can also filter by category, severity, or time. Click on an alert to see details, including the attack timeline, affected entities, and recommended actions. Alerts are also automatically grouped into incidents with other Defender alerts.
Immediately reset the KRBTGT account password twice. This invalidates all existing Kerberos tickets, including the forged Golden Ticket. After the reset, all Kerberos tickets must be reissued. Also, investigate how the attacker obtained the KRBTGT hash (likely via DCSync or LSASS dumping). Reset the passwords of any compromised accounts and review domain controller security. Finally, ensure that domain controllers are fully patched and that monitoring is in place.
Yes. In the Microsoft 365 Defender portal, go to Settings > Identities > Alert exclusions. You can create exclusion rules based on IP addresses, accounts, or computers. For example, exclude your vulnerability scanner's IP to prevent Reconnaissance alerts. Exclusions apply to all alert categories. Be careful not to exclude legitimate threats. Use exclusions sparingly and review them periodically.
You've just covered Defender for Identity Alert Categories — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?