Defender for Identity (MDI) positioned as the auth watchdog in Microsoft XDR
Key Questions
What is the primary role of Defender for Identity (MDI) in Microsoft XDR?
Defender for Identity (MDI) serves as the auth watchdog, providing primary telemetry for domain and authentication detections. It integrates with Sentinel rules enhanced by AI features like UEBA, Fusion, and anomaly detection for improved severity assessment and false positive mitigation.
How does MDI support investigations and incident management?
MDI includes two playbooks: one for synchronous investigation and another for asynchronous incident enrichment. It uses KQL joins with AADSignInLogs and EndpointProcess, along with 30-day baselines, complemented by high-fidelity network evidence from tools like Corelight Zeek and D3 Morpheus SIEM.
What advancements were highlighted at RSAC for Defender AI agents?
At RSAC, Defender AI agents were showcased for enabling multi-step triage, saving over 200 hours, and supporting Agentic SOC vetting. These agents integrate with third-party tools to build out the Security Copilot ecosystem, enhancing overall threat detection and response.
MDI telemetry primary for domain/auth detections; Sentinel rule integration with AI (UEBA/Fusion/anomaly), severity/FP mitigation, two playbooks (sync investigation, async incident/enrichment). KQL joins (AADSignInLogs/EndpointProcess), 30-day baselines. Complements: Corelight Zeek+Entra network AI triage, D3 Morpheus SIEM probing (4400 alerts/day stats), high-fidelity network evidence for dynamic playbooks. RSAC: Defender AI agents enable multi-step triage (200+ hours saved); Agentic SOC vetting.