What is ITDR?
Status: Scaffold — content in progress
Identity Threat Detection and Response (ITDR) is the discipline of detecting threats that abuse identity systems and credentials, and responding to contain and remediate those threats.
The term was coined by Gartner in 2022 to name a category that had been practiced informally for years but lacked a unified label.
ITDR Scope
ITDR covers threats across the full identity lifecycle:
| Stage | Threat Examples |
|---|---|
| Credential acquisition | Phishing, credential stuffing, password spray |
| Authentication abuse | MFA bypass, token theft, Pass-the-Hash |
| Authorization escalation | ACL abuse, role assignment manipulation, RBAC misconfiguration |
| Lateral movement via identity | Kerberoasting, Pass-the-Ticket, SAML token reuse |
| Persistence via identity | Backdoor accounts, added credentials, OAuth app persistence |
| Exfiltration via identity | Data access through legitimate credentials |
ITDR vs Adjacent Disciplines
| Discipline | Focus | Relationship to ITDR |
|---|---|---|
| SIEM | Log aggregation and correlation | ITDR uses SIEM as a data source |
| EDR | Endpoint process and file telemetry | EDR catches identity attacks that touch the endpoint (LSASS, token manipulation) |
| IDP security | Identity provider hardening | ITDR detects when the IDP is abused |
| PAM | Privileged access management | PAM reduces the attack surface; ITDR detects abuse when PAM is bypassed |
| UEBA | User and entity behavior analytics | UEBA is a detection technique within ITDR |
The ITDR Detection Chain (This Handbook)
Understand the protocol → Know the attack primitive → Map required telemetry → Write detection → Validate in lab
- Protocol knowledge (Section 02): understand how Kerberos, OAuth, SAML, etc. work — because you cannot detect abuse without understanding normal behavior
- Attack knowledge (Section 04): understand what the attacker does, which evidence it leaves, which ATT&CK technique it maps to
- Detection engineering (Section 05): write rules against the telemetry the attack generates
- Lab validation (Sections 03 + 06): run the attack in a controlled environment and verify your detection fires
Key Identity Sources for Detection
| Source | Key Signals |
|---|---|
| Windows Security Event Log | 4624, 4625, 4648, 4672, 4768, 4769, 4776 |
| Active Directory audit log | Object creation/modification, ACL changes, replication events |
| Entra ID Sign-In log | Sign-in risk, location, MFA result, conditional access outcome |
| Entra ID Audit log | Role assignments, app registrations, PIM activations |
| Okta System Log | Authentication events, admin actions, policy evaluations |
| AWS CloudTrail | AssumeRole, GetSessionToken, privilege changes |
| Azure Activity log | Role assignments, resource access via identity |
Cross-Links
| Topic | Link |
|---|---|
| Identity Attack Surface | identity-attack-surface.md |
| Identity Frameworks | identity-frameworks.md |
| Detection Framework | detection-framework |