Forum Discussion
Solved
How does MDI monitor DNS Requests?
Hello, the https://learn.microsoft.com/en-us/defender-for-identity/monitored-activities#monitored-user-activities-domain-controller-based-user-operations documentation states that MDI monitors al...
The MDI sensor also listens to the network traffic, so it can see the DNS queries from the network packets by the protocol (and/or port).
Microsoft Defender for Identity (MDI) monitors DNS requests and other activities on the domain controller to detect and investigate security threats. MDI collects data through several methods, including event logs, network traffic, and performance counters.
For DNS requests, MDI primarily relies on network traffic monitoring. It inspects the packets that are transmitted and received by the domain controller, looking for DNS requests and other relevant information. This allows MDI to detect and analyze anomalous DNS activities that could indicate potential security threats.
MDI Overview: https://docs.microsoft.com/en-us/defender-for-identity/what-is or MDI architecture: https://docs.microsoft.com/en-us/defender-for-identity/architecture
These resources give us great information about MDI components and how they work.
For DNS requests, MDI primarily relies on network traffic monitoring. It inspects the packets that are transmitted and received by the domain controller, looking for DNS requests and other relevant information. This allows MDI to detect and analyze anomalous DNS activities that could indicate potential security threats.
MDI Overview: https://docs.microsoft.com/en-us/defender-for-identity/what-is or MDI architecture: https://docs.microsoft.com/en-us/defender-for-identity/architecture
These resources give us great information about MDI components and how they work.