Once there is an identity infrastructure breach, sometimes it can take a long time to detect, for the following reasons:

• We fight against human adversaries, and they keep changing their tactics for attacks so they cannot be detected by traditional perimeter defense solutions.
• Existing security solutions require time and knowledge to set up, fine-tune, and maintain.
• Going through a large number of logs and reports to identify risks and issues is not practical, as engineers could miss important events.
• Most of the existing security solutions are for preventing attackers at the perimeter level. They do not have a way to detect the attackers once they have successfully logged into the infrastructure.

Microsoft built AD and has ...