Feb 29 2024 05:06 AM - edited Feb 29 2024 05:56 AM
I do (i think :)) have a legit MSOL_522f75393cfe account which needs the DCSync permissions (Entra Connect) so how can I exclude this account from being detected to this rule?
I can find some 'exceptions';
Microsoft Defender | Settings | Identities | Actions and exclusions | Global excluded entities
https://security.microsoft.com/settings/identities?tabid=globalExclude&tid=e681ca77-e7ac-448f-b649-6...
I put the account there so it has the 'Exclude entities from all detection rules' option.
Is this the only way (i prefer not to exlude the account but only an exception of the detection) to exclude an account?
Feb 29 2024 06:35 AM
Have you tried to exclude entities based on specific detection rules? This will allow you to exclude users/devices/IPs for a particular detection rule or alert type in MDI.
Please navigate to security.microsoft.com > Settings > Identities > Exclusions by detection rule.
Feb 29 2024 07:53 AM - edited Feb 29 2024 07:55 AM
Hi @esatyaman thanks for the reply. I failed earlier to match the 'Remove non-admin accounts with DCSync permissions' with 'Suspected DCSync attack (replication of directory services)' as you pointed out. I did enable the exclusion and will wait (and report) if this is the exclusion that works. (and removed the user from 'Global excluded entities')
Thanks!
Mar 06 2024 04:07 AM
Did this work for your for the secure score metric? It's annoying me as well. @Arian_van_der_Pijl
Mar 07 2024 08:00 AM - edited Mar 07 2024 08:08 AM
Well, unfortunately it doesn't seem to work. I excluded the MSOL_EntraSync account -> Exclude entities by detection rule -> Suspected DCSync attack (replication of directory services) but it still shows in the 'exposed entities' in Secure Score -> 'Remove non-admin accounts with DCSync permissions'.
So @esatyaman do you happen to have any further suggestions? thanks in advance.
Because it's my test environment at home (on-premises) I shut it down when not in use but I guess I have waited long enough to conclude the results 🙂
Related:
Also the Secure Score for Identity Protection 'Remove the attribute 'password never expires' from accounts in your domain' does list several 'HealthMailbox-xxx' accounts as 'exposed entities'. Accounts are from local AD with local Exchange Servers. Can't find a matching exlusion either. But first at least trying to solve this exclusion 🙂
Mar 08 2024 01:08 AM