Forum Widgets
Latest Discussions
Suspected identity theft (pass-the-ticket) when switching LAN/WiFI
Hi, I see this alert "Suspected identity theft (pass-the-ticket)" when a user switches from LAN to WiFi or back. The laptop's DNS record has both IP addresses. I'm guessing Defender still thinks a different device is using the same Kerberos ticket. How do you deal with that? Can you tune the alert somehow so that doesn't keep alerting? Jan 16, 2025 4:15 PM This Kerberos ticket was first observed on 1/16/25 4:15 PM on [Device Name] (Laptop IP1). Jan 16, 2025 4:57 PM - Jan 16, 2025 4:57 PM [Username] accessed [Server Name] (CIFS) from [Server IP] (Laptop IP2). Thanks for your support
Attack simulation Payload editor - recently broken?
Hello, Just last Wednesday, Jan. 8th, I created a new custom payload and was happy with the testing of the email. I logged in today and noticed that a majority of the formatting had been removed. I found this post: https://answers.microsoft.com/en-us/msoffice/forum/all/phishing-attack-simulation-payload-editor-is/88232e12-9744-4d87-9566-3fd5d8c2ed3a Seems like he is having the same issue I am facing. Nothing is centering and many of the blocks I have created are gone (ie the External email, banner). Anyone else having these issues or has anyone found a way to "fix" it. Here is a snip of the same payload, one sent Wednesday, the other Monday: Monday, Jan. 13th: Any help would be appreciated.
Defender for identity updated itself, now it wont start
I had defender for identity 2.240.18218.5822 working on my DCs for several weeks. Then on September 24th 2024, the ATP sensors auto-updated themselves to 2.240.18224.34815. Now about half of them won't start anymore and logs are no longer being produced in the Logs folders: No new logs produced in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18218.5822\Logs No Logs folder exists in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815 This is the error when the service tries to start. In the event log: The Azure Advanced Threat Protection Sensor Updater service terminated unexpectedly. It has done this 303511 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. I tried manually uninstalling and reinstalling on some of the servers but this has not worked.
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated"and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?DSA requirements
Hello, DSA is configured with rights "log on as a service" on the domain controllers. Do you need to configure the sensor service it self to also start the service with the DSA account with "Logon as"? Our sensors are starting up fine. But I have some strange logs in the sensor error log file. So I just want to verify that our setup is correct. Thanks!Password changes of users not tracked by MDI / not in table
I was trying to create a KQL query for password changes/resets of users they did not initiate themselves. But after searching the table IdentityDirectoryEvents - i only see device password changes. I checked the "Audit Sessions" for the OU the users reside - it is set to audit success for "change password". Also the test-mdiprereq show green. It is a real "threat" that should be able to hunt - i am not sure what i miss here
Microsoft Defender for Identity logs to syslog server
i had configured MDI to send logs to my syslog server. i gave its port number, nominated sensor, all the necessary details, and used test configuration to see if a test log reached my syslog server. and it did, but the problem is no other logs from MDI is reaching my syslog server. could you provide information about configurations to be done in order to start getting the logs?
