Event banner
Event details
Thanks for this:
Why does my MID config send auth requests to each domain for other domains defined accounts?
Any roadmap for sending specific alerts to specific DLs?
We continually see false positives for Suspected Golden Ticket usage on nonexistent account from Hadoop installs, any fixes in the works for same?
We also see issues with VPN where when the ip address changes on the client we get incorrect Pass-the-Ticket alerts, any way to address these?
How is the product team addressing configuration management for exclusion tracking? will this be exposed via graph or other soon?
MDI connects to the other domains to associate the entities seen in the activities to an object in Active Directory domain.
We don’t have the ability to send specific alerts to a specific DL. You can use the M365D Incident API and create your own automation to send specific alerts to specific DL.
We are aware of an issue with Golden Ticket non-existent account, where the account is “WellKnown\Anonymous”, a fix for this will be released shortly.
Regarding the VPN IP addresses I would confirm that the NNR ports are open to the IP addresses used. https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy
Regarding configuration management this is something we are working on
