Forum Widgets
Latest Discussions
ATP Sensor will not install on Windows 2016
Environment: Windows Server Standard 2016, vSphere 7x, Hardware requirements met, .Net Framework 4.8. We have 4 Windows Server 2016 Domain Controllers that all experience the exact same error that prevents us from installing the download classic sensor. I have tried rebooting, run as admin, upgrading .Net framework (from 4.7 to 4.8), etc. This occurs on all 4 DCs that are 2016. We have successfully installed on the 2019 DCs. I have searched online for this error but all suggested fixes are Visual Studio related and I dont think it applies to our situation. "Error DeploymentManager ShowErrorMessage System.IO.FileLoadException: Could not load file or assembly 'System.ValueTuple, Version=4.0.2.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)" error.
User + Server exclusions
Following a recent deployment of Advanced Threat Analytics (ATA) my client is getting "Remote execution attempt detected" alerts for their Veeam backup service account against several servers. This is a known service account and they would like to exclude the alert for this activity for just this user account. However ATA only provides an option to exclude the server. Do we know if providing the ability to exclude both a specfic user and server is on the ATA roadmap?
Blocking TCP 3389 - issues?
There is a strong push here to block RDP over part of our network. MSDI uses 3389 for name resolution. What order does MSDI use the three available methods for name resolution - TCP 135 (NTLM), UDP 137 (NetBIOS) and TCP 3389 (RDP)? We are currently seeing a lot of 3389 network traffic from the MSDI sensors to clients. TIA.
Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)Suspected identity theft (pass-the-ticket) on multiple endpoints krbtgt
User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for suppressing this alert? Related account: krbtgt Suspect account: domain user Hosts related: DC, DirectAccess server with local NPS Source host: domain user machine I can use the above SID and exclude but I'm hesitant as TP alerts may automatically close. I've several alerts like these daily.Using gMSA with ATP results in many 2947 events
We have an ATP deployment with several domains and different Trusts. We have 3 different credentials in use, 2 x 'ordinary' service accounts and 1 x gMSA. On the DCs in the domain where the gMSA is hosted the "Directory Service" event logs are full of 2947 events ("An attempt to fetch the password of a group managed service account failed.") for the gMSA. The source computers for these events are computers in other domains with the ATP sensor installed. Is there any way of filtering which credentials are used by the sensors in a given domain? The deluge of 2947 events is making it difficult to find useful information in the logs of the affected DCs.Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?
Easiest way to view remediated risk detections?
I'm looking in Lighthouse at a series of risky logins that are remediated. The thing is, this tenant previously experienced a breach that got remediated, so I'm trying to be extra cautious. When I click "View in Entra", it brings up no risk detections. If I navigate to Protection > Risky Activities > Risky Sign-Ins I get nothing. Switching to all statuses, I still get nothing. Same thing happens if I got to Risk Detections, nothing. Short of bringing up each user, and checking every single login to try to find what was risky, is there a way I can see these once the statuses are remediated? It seems like I SHOULD able to... But here are the different ways I've tried filtering Risk detections: Risky Sign-Ins Trying to understand the users popping in Lighthouse, but they don't appear with any of these filters (or the defaults).... Anyone able to advise? THanks
