A company maintains an on-premises Active Directory environment with over 10,000 domain-joined computers. The security team is concerned about advanced attacks that use stolen credentials to move laterally, such as pass-the-hash attacks or DCSync attacks targeting domain controllers. They need a solution that monitors on-premises Active Directory traffic and event logs to detect these identity-based threats and provides alerts for investigation. Which Microsoft security solution should they deploy?
Defender for Identity profiles network traffic and event logs from domain controllers to detect suspicious activities such as pass-the-hash and DCSync, providing alerts for security teams.
Why this answer
Microsoft Defender for Identity is the correct solution because it is specifically designed to monitor on-premises Active Directory traffic and event logs to detect advanced identity-based threats like pass-the-hash, pass-the-ticket, and DCSync attacks. It uses behavioral analytics and machine learning to identify suspicious activities, such as anomalous Kerberos ticket requests or replication attempts, and provides real-time alerts for investigation.
Exam trap
The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Sentinel, assuming that a SIEM is always the best choice for threat detection, but Sentinel lacks the specialized Active Directory protocol-level analysis and behavioral models that Defender for Identity provides natively.
How to eliminate wrong answers
Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., workstations, servers) for malware, file-less attacks, and vulnerability management, not on monitoring Active Directory traffic or detecting DCSync attacks. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that protects cloud applications (e.g., Office 365, AWS) and does not monitor on-premises Active Directory traffic or event logs. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that aggregates logs from multiple sources, but it is not a dedicated identity threat detection tool; while it can ingest AD logs, it lacks the specialized Active Directory protocol analysis and behavioral models that Defender for Identity provides out-of-the-box.