Event banner

Microsoft Defender for Identity AMA

Event Ended
Wednesday, Jun 29, 2022, 09:00 AM PDT
In-Person

Event details

We are very excited to announce our Microsoft Defender for Identity AMA!   An AMA is a live text-based online event similar to a “YamJam” on Yammer or an “Ask Me Anything” on Reddit. This AMA giv...
Trevor_Rusher
Updated Jun 29, 2022
microsoft defender for identity
Douglas_Henrique's avatar
Douglas_Henrique
Brass Contributor
Jun 28, 2022
Recently I received an alert about "Account enumeration reconnaissance" with an unknown resource name. That enumeration was through NTLM against my DC, with destination to my Exchange Server. Besides, the resource has no information about IP, logged users, accessed resources, and so on. My question is: What should I start to block that kind of resource with no information in MDI?
Daniel Naim's avatar
Daniel Naim
Iron Contributor
Jun 29, 2022
The application making the NTLM request can put in what it wants as the computer name. When MDI has access to event 8004 on the domain controller, it will add the resource that was being accessed to the Account Enumeration alert. Now you can look on the resource computer for event 4624 and 4625 to see the source IP address of the computer connecting to the resource. https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#account-enumeration-reconnaissance-external-id-2003 Make sure that the domain controllers are configured to record event 8004. https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#event-id-8004
Date and Time
Jun 29, 20229:00 AM - 10:00 AM PDT