Zscaler Identity Threat Detection and Response (ITDR) is designed to provide visibility into an organization's identity attack surface by continuously monitoring Active Directory (AD). To achieve this, the Identity Protection engine directly queries the AD environment. It uses the Lightweight Directory Access Protocol (LDAP), the standard protocol for interacting with directory services like AD. A configured service account with appropriate read-only permissions is used to run these LDAP queries, allowing the engine to discover AD domains and forests and gather detailed information about configurations, users, and groups without relying on network-level scanning or log analysis.

A. Scanning network ports: This is a general network reconnaissance technique and does not provide the specific, detailed object and attribute information from Active Directory that ITDR requires.

C. Analyzing firewall logs: Firewall logs contain information about network traffic, not the internal configuration state, user permissions, or group policies within Active Directory.

D. Packet sniffing: While it could theoretically capture LDAP traffic, this is an inefficient, indirect, and less reliable method compared to making direct, authenticated queries to the directory service.

1. Zscaler Help Portal

"About Identity Protection Profiles": In the description of how the system functions

the documentation states

"The Identity Protection engine discovers your AD domains and forests by running LDAP queries and then assesses the security posture of your AD configuration."

2. Zscaler Help Portal

"Step-by-Step Configuration Guide for Zscaler Identity Threat Detection & Response": In the "Prerequisites" section (specifically

under "Identity Protection Service Account")

it details the requirement for a service account with "read-only permissions to the Active Directory (AD) domain." This requirement exists to facilitate direct

authenticated queries against the domain controllers.