Forum Discussion

Armpenu's avatar
Armpenu
Copper Contributor
Sep 13, 2022
Solved

GMSA account accessing server apps

We have deployed Microsoft Defender for Identity on our tenant,  and we have questions about why the GMSA is connecting to different app servers and IPs. We would like to understand why this is happ...
logging
microsoft 365 defender
Sensor
  • Martin_Schvartzman's avatar
    Martin_Schvartzman
    Sep 15, 2022

    Armpenu 

    The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

    It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

     

    I hope this clarifies the issue and answers your question.

Martin_Schvartzman's avatar
Martin_Schvartzman
Icon for Microsoft rankMicrosoft
Sep 15, 2022

Armpenu 

The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

 

I hope this clarifies the issue and answers your question.

Armpenu's avatar
Armpenu
Copper Contributor
Sep 15, 2022
Martin,
Your time and expertise are appreciated. Thanks!
  • moderncloud's avatar
    moderncloud
    Copper Contributor
    Sep 15, 2022
    I am in the process of deploying MDI (drafting the Change Request). Are you installing your Sensors on Server 2012 or 2016? In 2012, the GPO for SAMR does not exist in the UI and I believe I would need to explicitly define this GPO via the registry. Just wondering if anyone has any experience with this yet.