Event banner
Event details
94 Comments
- Are you going to have a workflow for MDI exclusions? Such as, SOC Analyst gives a verdict that an alert is false positive and suggests exclusion , it goes to a group of security engineer who analyses the overall impact and decides on exclusion or not?
- Currently, Incidents are meant to be assigned to one or more people so they can reach a conclusion. You can use a similar approach to reach a conclusion with regards to exclusions too.
- Are there any initiatives to create an Microsoft 365 defender private community just like the Microsoft private cloud security community....thats much more efficient than onlyu a ask me anything 🙂
- Trevor_Rusher
Community Manager
We currently don't have any plans to make an M365 Defender Private Community, we are currently focusing on engaging and responding to all the questions/feedback on the public one first: https://techcommunity.microsoft.com/t5/microsoft-365-defender/bd-p/MicrosoftThreatProtection
Hello, can you please give me a tip about licenses? If I have a customer with the following infrastructure (just an example):
- 2 DomainControllers
- 4 MemberServer
- 8 ServiceAccounts
- 16 Users
How many licenses do I need? How can I use them and for which object/user?
Thank You
- To be fully compliant with licensing, you need a Defender for Identity license for each human being protected in the environment. This could be with an M365 E5 license, M365 E5 Security license, or standalone Defender for Identity license. In your example, it would be 16 licenses - but please check with your license vendor if you have more specific questions, as this is purely based on my interpretation on the data you've provided 🙂
when the customer has no E5 security subscription you probably need 16 🙂 stand alone SKU for MDI
- If the customer want to use E5. How to deply the license to the DC's?
- Is there a way to audit/report alignment to specific CIS controls/compliance against MDI /MDE or the entire tenant?
- The capability to report Defender for Identity improvement actions against known baselines such as CIS is being worked on by the Microsoft Secure Score team, no ETA that we can share at this moment though.
- I feel silly - I don't see the link to join this live event. The 'Live' at the top brings you back here.
- It is a live text-based live conversation. It refreshes every 60 seconds by default.
- Trevor_RusherHi Timothy! This AMA is currently live! It is all text-based, so post your question and the MDI team will be able to answer in a reply to you 🙂
- That's pretty annoying =\
- I understood that's it. YOu ask ? here and they responds live in this page.
- How does MDI correlate with the Sentinel Insecure Protocol workbook? For example if i enable all the audit settings that are mentioned in the Secure Protocols workbook will I able to track and report on those protocols straight out of MDI or will I still need to spin up a Sentinel instance.
- While there is no immediate correlation for MDI with that specific Sentinel workbook, MDI has various security assessments, including detection of NTLMv1 and LDAP Simple Bind activities that is also used on that workbook, you can find them all in Microsoft Secure Score feature at the Microsoft 365 Defender portal (Filter for Defender for identity)
- Does that have a requirement for that requisite auditing to be enabled as with the Sentinel Workbook.. I have a customer who has required to be able to report on things such as PlainText LDAP etc. but is const sensitive especially w.r.t Sentinel
- Trevor_RusherWelcome to the Microsoft Defender for Identity Ask Microsoft Anything (AMA)! This live hour gives you the opportunity to ask questions directly to the Microsoft team. Please post any questions in a separate, new comment thread. The MDI team will try their best to get to all the questions in the live hour. Thanks!
- What improvements are being made for the stability of the agents? we have seen a history of agents failing after auto updates.
- Martin_Schvartzman
Microsoft
We’re improving the sensor in almost every version we release, and we currently don’t have any stability issues that we know of. Please open a support ticket to investigate your specific issue.
- Hello Team, I have below question on defender for identity sensor installation on DC running on windows server 2016 core ( no GUI) I installed npcap then installed sensor setup and it worked however wanted to know if this is the right way or server core only supports MDI standalone sensor ?
- Martin_Schvartzman
Yes, the MDI sensor is supported on Windows Server 2016 Core. This is the correct way to install the sensor on server core. See the following for list of operating systems supported. https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#general
- Thanks alot Martin
- Does the MD4I still has the DNS RFC requirement for the ADDS FQDN names? Because there are very common situations were the ADDS FQDN domain name are not RFC compliant (and ADDS allows it). For example we have an ADDS domain name that has underscore (is not DNS RFC compliant) but ADDS allowed it, and we cannot onboard it to MD4I.
- Martin_Schvartzman
Yes. The RFC requirement still applies. Please open a support ticket for us to investigate your specific scenario.
- Eventually contacted the MS Support (MD4I) and after a few email sessions, they concluded that it is a bug in the new defender portal (https://security.microsoft.com) since in the old MD4I portal this works as expected, and they will be validating this internally.
