The DSA in Microsoft Defender for Identity (MDI) is used for several critical functions including (but not limited to) the following:
-
🔐 Connecting to the domain controller at startup.
-
🔐 Querying the domain controller for data on entities seen in network traffic, monitored events, and monitored ETW activities.
-
🔐 Requesting member lists for local administrator groups from devices via a SAM-R call.
-
🔐 Accessing the DeletedObjects container to collect information about deleted users and computers.
-
🔐 Domain and trust mapping, which occurs at sensor startup and every 10 minutes thereafter.
-
🔐 Querying another domain via LDAP for details when detecting activities from entities in those domains.
🔑 A DSA is required for full security coverage in MDI. Without a DSA, you may expose your environment to certain risks, such as:
-
😥 Inability to fully monitor and analyze activities on your network, which could lead to undetected security breaches❗
-
😧 Lack of detailed information about deleted objects, which could be exploited by attackers to gain unauthorized access❗
-
😵 Insufficient data to calculate potential lateral movement paths, which are crucial for identifying compromised accounts and preventing further spread of an attack within the network❗
⚠ Not having a DSA in MDI can significantly limit the visibility and control over your network’s security, potentially leaving it vulnerable to undetected attacks. It’s recommended to configure a DSA for comprehensive protection❗❗❗