Forum Widgets
Latest Discussions
Segreation of views for different sub-companies
I am in a group of companies and due to various legal reasons they are not allowed to see each others data, but we are all part of the same azure tenant and active directories. So i want to use the idnetity sensor, and it to feed data into dfi, but i want to give the it teams from the different companies access to ONLY their own data and also allow them to do investations on only their own users. How can i do this segregation within defender?
Defender for Identity Certificate Requirements
One of the required certificates for the MDI sensor to run is this certificate: Subject : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Issuer : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Thumbprint : D4DE20D05E66FC53FE1A50882C78DB2852CAE474 FriendlyName : DigiCert Baltimore Root NotBefore : 5/12/2000 11:46:00 AM NotAfter : 5/12/2025 4:59:00 PM Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid} It expires in a little over 2 weeks. I still see it listed as required here: https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues Does anyone know if that requirement will be going away and/or will the certificate be updated before this one expires? I haven't been able to find anything related to its replacement through my various searches so I apologize if this has been covered already. Thanks.
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?
KQL query to check tri.sensor for MDI
I was looking for a query to run to check that all the deployed MDI sensor's are running successfully. I have reviewed the 3 Identity tables listed within the Monitor > Logs table schema but unable to find the right query. Please let me know if any other information is needed. Cheers, Serge
ATP sensor fails to start since yesterday
Hi there, we run the ATP sensor with a gMSA account on all domain controllers. Yesterday we restarted all machines because of January patch day and now the ATP sensor will get stuck while starting. Funny: there are more than 40 DC's. The service is still starting on exactly one (!) DC. It can be restarted on this DC without any issues. All others show this error. Rebooting the machines will not help. 2024-01-24 16:24:50.9788 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=mdiuser$ Domain=domain.local IsGroupManagedServiceAccount=True] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=mdiuser$ Domain=domain.local IsSuccess=False] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=mdiuser$ Domain=domain.local] 2024-01-24 16:24:51.4632 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=dc03.domain.local Domain=domain.local UserName=mdiuser$ ] We have not changed anything regarding sensors or the gMSA account for months, so this configuration was running without issues until yesterday. Running Test-ADServiceAccount -Identity "mdiuser" on the affected machines gives "True", so the machine can successfully retrieve the gMSA password. I have checked that the mdiuser account is part of the GPO that allows logon as service on all machines. Now I am running out of ideas. The system tells me, it can access the gMSA password, the agent tells me it can't. Whats wrong? Best regards, Ingo
ATP Sensor will not install on Windows 2016
Environment: Windows Server Standard 2016, vSphere 7x, Hardware requirements met, .Net Framework 4.8. We have 4 Windows Server 2016 Domain Controllers that all experience the exact same error that prevents us from installing the download classic sensor. I have tried rebooting, run as admin, upgrading .Net framework (from 4.7 to 4.8), etc. This occurs on all 4 DCs that are 2016. We have successfully installed on the 2019 DCs. I have searched online for this error but all suggested fixes are Visual Studio related and I dont think it applies to our situation. "Error DeploymentManager ShowErrorMessage System.IO.FileLoadException: Could not load file or assembly 'System.ValueTuple, Version=4.0.2.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)" error.User + Server exclusions
Following a recent deployment of Advanced Threat Analytics (ATA) my client is getting "Remote execution attempt detected" alerts for their Veeam backup service account against several servers. This is a known service account and they would like to exclude the alert for this activity for just this user account. However ATA only provides an option to exclude the server. Do we know if providing the ability to exclude both a specfic user and server is on the ATA roadmap?
Blocking TCP 3389 - issues?
There is a strong push here to block RDP over part of our network. MSDI uses 3389 for name resolution. What order does MSDI use the three available methods for name resolution - TCP 135 (NTLM), UDP 137 (NetBIOS) and TCP 3389 (RDP)? We are currently seeing a lot of 3389 network traffic from the MSDI sensors to clients. TIA.
