What Microsoft Defender for Identity does
Defender for Identity monitors domain controller traffic and authentication events to detect suspicious activity indicative of advanced attacks. It identifies threats such as pass-the-hash, pass-the-ticket, and golden ticket attacks by analysing NTLM and Kerberos traffic. The service provides visibility into user and entity behaviour, highlighting anomalous actions that might signal a compromise. It uses machine learning and behavioural analytics to establish baselines and detect deviations from normal activity.
Microsoft Defender for Identity in the AU hybrid reality
Many AU mid-market organisations operate hybrid Active Directory environments, integrating on-premises AD with Microsoft Entra ID using Entra Connect. Defender for Identity plays a critical role in extending Microsoft Defender XDR’s identity protection capabilities within these hybrid setups. Integrating MDI with Entra ID Protection allows for a more comprehensive view of user risk and enables automated remediation actions, helping to meet obligations under APRA CPS 234 and align with the ACSC Essential Eight’s focus on identity and access management.