Identity Security Posture report

Question

Hello we have deployed Defender for Identity in a multi-forest environment.

We had a couple of forest that had forest trust with one of the forest monitored by MDI but they never had MDI sensor installed on their domain controller, but the Identity security Posture right now report several report several information regarding domain controller without sensor and unsecure attribute for object in these 2 old forest no more connected or trusted.

We thought it depended from data retention by one year later we have this stale information in the report.

We have also excluded domains, identities, device and IP from from all detection rules but nothing didn't change.

is it possible in some way to modify information in this report? this situation lead us to have a bad Identity security score due to incorrect information on Identity posture report.

hope you can help

Donato

or tsemah · Answer

Hi&nbsp;DonatoL&nbsp;
Just so i understand the situation, through its multi-forest discovery capabilities, a single forest was able to discover other, non-MDI deployed forests and now includes them in its assessment report.
&nbsp;
In that case, the report is accurate, however, you'd like to exclude these forests from the report?

donatol · Answer

Yes I'd like to exclude these forests from the report. But in 1 case the report is not accurate because report object of an old disconnected non-MDI forest, and I'd like to remove this object

or tsemah · Answer

DonatoL&nbsp;and that disconnected forest items are no longer updated or discovered by another MDI sensor for any reason, right?&nbsp;

donatol · Answer

Yes you are right. In addition the phisical site where domain controller are located doesn't have network connection or wan connection.thank youDonato

or tsemah · Answer

Thanks, I'd like to ask a few other clarifying questions, can you please ping me at ort@microsoft.com?

Forum Discussion

Identity Security Posture report

Share

Resources