User Profile
EliOfek
MicrosoftJoined Jan 07, 2018
User Widgets
Recent Discussions
Re: Very High Increase in CPU activity after Update Microsoft Defender for Identity sensor
A fix was deployed from the cloud. The effected sensors should restart with a new configuration that will eliminate the runaway thread issue and you should see the CPU going back to normal232Views1like0CommentsRe: Very High Increase in CPU activity after Update Microsoft Defender for Identity sensor
Hi, Ack on that. We spotted the issue. in some sensors a thread might hog between 0 to 100% of a single core. We are working on a fix. Note that the sensor has a job limiter which should make sure to leave at least 15% of CPU free at all times, It will limit CPU usage down to 10% of total machine if needed (with the price of dropping traffic) , so if you are really hitting 100% CPU please check if there is something else that is also consuming the CPU which was not expected.599Views0likes0CommentsRe: Change password for krbtgt account
Hi, I have consulted a SME for this and he requested that you will open a support case so he can research this specific case. Can you please open such a case, and ask the support engineer to directly engage Ran Yagil from Engineering by my recommendation? Ran is the SME for this and he can check exactly what happened and why.60Views1like1CommentRe: sensor service fails to start
There should be another log entry before that with an error code that says (hopefully) what went wrong when we tried to create the ldap connection, and which credential was u sed, against which DC. The indicated error code is crucial for initial troubleshooting.300Views0likes1CommentRe: MDI AD CS sensor not switching from removed DC
You don't need to reinstall, you can select a different DC using the portal when editing sensor settings in the sensors list. You can also reinstall, during deployment the deployment tool contacts the DC locator to select a DC, so it should select a working one, but I think it's faster to just change it in the portal, also if you have a preference on which DC you want it to work with.298Views1like1CommentRe: Alert Not Found
Any chance you have several tenants ? if so make sure you are logged in to the correct tenant. If not, I suggest to open a support case where support can check what happened to this alert. It requires much more details thus not suitable to discuss over this thread.89Views1like0CommentsRe: Low success rate of active name resolution NetBIOS (failed rates 80%) andRdpTls (failed rate 90%).
First of all, once you have NTLMRpc and DNS working, at least from detection aspect you should be fine. Now, to clear warnings, you can ask support for a report on which IPs are failing from those sensors, this will give you a clue as to what is blocked, but there is no way for Microsoft to remotely know what is blocking the coms, it could be a network firewall or the target machien FW itself...205Views0likes1CommentRe: Spurious health alerts with sensor 2.241.18721.18894
This is indeed a new health alert added in the last version. If you feel that it is false, meaning you don't have LSO enabled for sure, Open a support case. I advise to attach the output of this powershell command to the case notes: (Get-CimInstance -Namespace root\standardcimv2 -Query "SELECT * FROM MSFT_NetAdapterAdvancedPropertySettingData WHERE InstanceID LIKE '%YOUR_ADAPTER_ID%' AND DisplayName LIKE 'Large Send Offload%'") | Where-Object { $_.DisplayValue -eq 'Enabled' } | ForEach-Object { $true } | Select-Object -First 1 or run this WMI query any other way like wmic: wmic /namespace:\\root\standardcimv2 path MSFT_NetAdapterAdvancedPropertySettingData where "InstanceID like '%YOUR_ADAPTER_ID%' and DisplayName like 'Large Send Offload%'" get DisplayValue Make sure to replace your adapter id, you can get it with something like this: Get-CimInstance -Namespace root\standardcimv2 -ClassName MSFT_NetAdapter | Select-Object Name, InstanceID The sensor logic that reports the health alert uses something very close to that to decide if there is an issue. One more note when checking for LSO, keep in mind to check both ipv4 and ipv6.232Views0likes1CommentRe: ATP Sensor will not install on Windows 2016
Temp workaround: if you have already installed a sensor in the past, you can use the old package to deploy new machines, it will be auto upgraded to this version (without being blocked) within a few minutes post the install as the auto upgrade works differently and won't hit the error bug. The root issue should be addressed in a ticket anyway, as eventually we want you to have the greatest and latest and now it seems you will still be one version behind.85Views0likes0CommentsRe: ATP Sensor will not install on Windows 2016
The issue I previously mentioned was already resolved as far as I know for everyone else. Please open a support ticket for this one. you might be hitting a different issue that is just "similar" to the one I mentioned. Feel free to send me the ticket # in a private message when you have one, I will do my best to put a rush on it.78Views0likes0CommentsRe: ATP Sensor will not install on Windows 2016
There is no point in multiple tries... Can you go to https://security.microsoft.com/securitysettings/identities?tabid=about and tell me what is Sensor version you see there? It should be 2.240.18612.44306. If it's not, no point in even trying, it means there are still issues.170Views0likes3CommentsRe: ATP Sensor will not install on Windows 2016
You can only download the version that the portal supports at the time. The issue was fixed, refreshing the portal and downloading a new package now should resolve the issue. (The issue was in one of the US clusters and now fixed). Apologies for the inconvenience and thank you for this feedback that brought this to our attention so we can fix it faster.149Views0likes0CommentsRe: Suspected identity theft (pass-the-ticket) when switching LAN/WiFI
This usually happens when NNR is blocked or partially blocked (ports not accessible or device is behind NAT). I suggest to open a support ticket and the support team will know how to guide you and check what hte problem is and what needs to be done to fix it.772Views1like0CommentsRe: MDI for Certificate Services
I suggest to read these posts for starters to know "what to expect" from this feature: https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/microsoft-defender-for-identity-expands-its-coverage-with-new-ad-cs-sensor/3894215 https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/securing-ad-cs-microsoft-defender-for-identitys-sensor-unveiled/3980265110Views0likes0Comments
Recent Blog Articles
No content to show