Sensors & AD Signal Collection
Understanding the Concept
Defender for Identity uses sensors installed on domain controllers and AD FS servers to capture Active Directory traffic and Windows events. The sensor operates as a passive listener on the domain controller, analyzing LDAP, DNS, Kerberos, NTLM, and RPC protocols without impacting DC performance.
The sensor sends parsed data to the Defender for Identity cloud service for analysis. It requires no additional hardware - it runs directly on the DC. For environments where DC installation isn't possible, a standalone sensor with port mirroring is available.
Proper sensor deployment is critical for detection coverage. All domain controllers must have sensors installed for complete visibility. The health dashboard monitors sensor status, version, and data collection metrics.
Key Points
- Sensors installed on Domain Controllers and AD FS servers
- Passive analysis: LDAP, DNS, Kerberos, NTLM, RPC protocols
- Runs directly on DC with minimal performance impact
- Standalone sensor option for environments restricting DC installation
- All DCs must have sensors for complete visibility
- Health dashboard monitors sensor status and data freshness
Why This Matters in Real Organizations
80% of breaches involve compromised credentials and identity-based attacks. Without monitoring Active Directory signals, organizations miss reconnaissance, lateral movement, and domain dominance attacks that happen post-compromise.
Common Mistakes to Avoid
Interview Tips
- Explain how identity-based threat detection works
- Discuss sensor deployment strategies for large AD environments
Exam Tips (SC-200)
- Know sensor deployment requirements and options
- Understand protocols analyzed by the sensor
- Know the Directory Service Account purpose
Course Complete!
You've finished all lessons