Forum Discussion
Solved
How does MDI monitor DNS Requests?
Hello,
the Microsoft Learn documentation states that MDI monitors all DNS requests that are performed against the domain controller. I wonder how this is done. Via event logs or DNS log file or ... ?
Is there perhaps a blog article on how MDI works under the hood?
Cheers
Martin
The MDI sensor also listens to the network traffic, so it can see the DNS queries from the network packets by the protocol (and/or port).
- Microsoft Defender for Identity (MDI) monitors DNS requests and other activities on the domain controller to detect and investigate security threats. MDI collects data through several methods, including event logs, network traffic, and performance counters.
For DNS requests, MDI primarily relies on network traffic monitoring. It inspects the packets that are transmitted and received by the domain controller, looking for DNS requests and other relevant information. This allows MDI to detect and analyze anomalous DNS activities that could indicate potential security threats.
MDI Overview: https://docs.microsoft.com/en-us/defender-for-identity/what-is or MDI architecture: https://docs.microsoft.com/en-us/defender-for-identity/architecture
These resources give us great information about MDI components and how they work. Can you help me out on this one Martin_Schvartzman ?
- Martin_Schvartzman
Microsoft
The MDI sensor also listens to the network traffic, so it can see the DNS queries from the network packets by the protocol (and/or port).
That is interessting. What could be wrong if it doesnt or rather does only get a few of all DNS queries? (not standalone)
