Event banner
Event details
94 Comments
- Is the name ATP or advanced threat protection completely phased out now or does it exist for other products
- The ATP branding has been phased out now, yes. You may still see references in file names, logs or executables on the odd occasion, but any documentation, content or anything else that’s more public facing, will be branded Defender for Identity.
- When MDI Prove is deployed on given Domain A, then a trust is established between Domain A and Domain B, MDI probe (by LDAP query) is able to report some data on Domain B. But when the trust is removed from Domain A to Domain B, the data associated to Domain B remains, is it a feature ? is it a bug ? is there some plan to automatically removed data from Domain B after a trust is removed ? * As example Trust removed between A & B + 30 days without restablishment of the trust = data of Domain B removed * Another example : A (mdi probe) <= trust => B <= trust => C, when trust removed between A & B + 30 days = data of Domain B and C removed.
- Martin_Schvartzman
Microsoft
As these entities and activities were recorded when there was a trust relationship there is no method to delete these entities or activities. When there are no activities for an entity, they will be deleted automatically within one year. See the following for more information - https://docs.microsoft.com/en-us/defender-for-identity/privacy-compliance#delete-personal-data
You can manually delete security alerts that might have been triggered from domain B.
- Microsoft Defender for Identity is capturing IdentityLogonEvent for Kerberos, Ntlm, ... and Bind Ldap (clear text password), but what about LDAPS ? bind ldap (over TLS/ldaps) are not capture within Hunting Database. Is there some plan to have some eventId within Active Directory and/or evolution on MDI probe to capture bind ldap over LDAPS ?
- interested
Defender for Identity collects and stores information from your configured servers. Information collected includes network traffic to and from domain controllers (such as Kerberos authentication, NTLM authentication, DNS queries), security logs (such as Windows security events), Active Directory information (structure, subnets, sites), and entity information (such as names, email addresses, and phone numbers). Defender for Identity now does not have visibility to queries of LDAPS connections. We recently added the ability to gather the LDAP queries done via Active Directory Web Services. We are also looking at a method to see the encrypted traffic from pure LDAPS. https://docs.microsoft.com/en-us/defender-for-identity/whats-new#defender-for-identity-release-2180
- Thanks for this: Why does my MID config send auth requests to each domain for other domains defined accounts? Any roadmap for sending specific alerts to specific DLs? We continually see false positives for Suspected Golden Ticket usage on nonexistent account from Hadoop installs, any fixes in the works for same? We also see issues with VPN where when the ip address changes on the client we get incorrect Pass-the-Ticket alerts, any way to address these? How is the product team addressing configuration management for exclusion tracking? will this be exposed via graph or other soon?
MDI connects to the other domains to associate the entities seen in the activities to an object in Active Directory domain.
We don’t have the ability to send specific alerts to a specific DL. You can use the M365D Incident API and create your own automation to send specific alerts to specific DL.
We are aware of an issue with Golden Ticket non-existent account, where the account is “WellKnown\Anonymous”, a fix for this will be released shortly.
Regarding the VPN IP addresses I would confirm that the NNR ports are open to the IP addresses used. https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy
Regarding configuration management this is something we are working on
- Does it pick up on configuration changes that would reduce security posture? Such as incorrectly granting control over the domain controllers group to a low level user account? Is there any sort of vulnerability assessment based on excessive or incorrect delegation of permissions
A: Yes, you can find all of Microsoft Defender for Identity security recommendations under Microsoft Secure Score (https://security.microsoft.com/securescore?viewid=actions), filtered to Defender for Identity.
- 1. Which are the operating systems are supported. 2. What's the minimum system requirements of Microsoft Defender for Identity AMA. 3. What are the benefits when users are using MDI AMA. 4. Methods of operations of MDI AMA.
- Martin_Schvartzman
Microsoft Defender for Identity supports Windows Server 2012 and above, up to Windows Server 2022. When installing the sensor on AD FS servers, it is supported from Windows Server 2016 and above. As described in https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#general
The minimum system requirements depend on the amount of network traffic and events on the server, and because this can vary by a lot from customer to customer, we recommend running the sizing tool to get estimated requirements, as described in https://docs.microsoft.com/en-us/defender-for-identity/capacity-planning#defender-for-identity-sensor-sizing
- Useful answers. Scalability, home networks and inclusion of low performance, obsolete devices (main source for ICT and connection in raising economies). Curious about MDI! :laptop_computer::laptop_computer:
