Missing info related to password reset

Copper Contributor

We recently setup a MDI in our organisation with the help of Microsoft.

 

We previously used MS-ATA and in MS-ATA we could see details when event like password reset happened accros our organisation.

 

When a user password is being reset, In MDI we sometime get a result like :
User password has been modified

and other time we get to see by whom:
User password has been modifier by XYZ

Why is it not always showing who is responsible for the change ?

 

Thanks in advance

JP

1 Reply
Hello @whipjpv
Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection or Azure ATP, and before that as Microsoft Advanced Threat Analytics or MS-ATA) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

In terms of tracking password changes, Microsoft Defender for Identity should be capable of tracking and reporting such events consistently. However, there can be a few reasons why you are not always seeing the actor (the person or system responsible for the change) in the logs:

1. **Permissions**: The account used by Microsoft Defender for Identity to connect to your domain controllers needs sufficient permissions to read the security event logs. If the permissions are not set up correctly, some events may not be fully captured.

2. **Event Log Overwrite**: Windows event logs can overwrite old entries by default, especially if the log size is small and the volume of events is high. If the event is overwritten before Microsoft Defender for Identity can read it, some information might be missing.

3. **Replication Delays**: In environments with multiple domain controllers, there can be replication delays. If a password reset event is written to one domain controller and Microsoft Defender for Identity reads the event from a different domain controller, there can be a delay in capturing the event.

4. **Limitations of the Tool**: While Microsoft Defender for Identity is a powerful tool, it may not capture every single event detail depending on the complexity of the IT environment and the configuration of the tool itself.

To troubleshoot this issue, you could start by checking the permissions of the account used by Microsoft Defender for Identity, and the settings for your Windows event logs. If the issue persists, it would be best to reach out to Microsoft Support for more detailed troubleshooting.