User Profile
LiorShapira
MicrosoftJoined May 25, 2022
User Widgets
Recent Discussions
Re: Segreation of views for different sub-companies
We are currently working on providing this scoping capability which you're describing via URBAC. This feature is in private preview phase. Feel free to send me your tenant ID by mail to activate scoping and to share more details: liorshapira@microsoft.com.75Views1like0CommentsRe: Secure Score "this account is sensitive and cannot be delegated"
The recommendation contains gMSA accounts by definition. The reason is due to the fact that the goal of gMSA is to be managed by AD and the account can be used only by certain users. Therefore, delegation will allow actor to use this account and as a result to escalate privileges and use the gMSA although they can’t read its password. I suggest closing the recommendation is this case with mitigation.817Views0likes0CommentsRe: Secure Score "this account is sensitive and cannot be delegated"
starman2heven Could you please check again? we've updated the recommendation title to be "Ensure privileged accounts are not delegated". The deployment was ended yesterday (except of United States Environment which will take a couple of days). At the moment, we excluded DC's only and ADFS, Exchange servers and Certificate servers will be excluded by Nov 20'.1.3KViews0likes7CommentsRe: Secure Score "this account is sensitive and cannot be delegated"
micheleariis Sblackery We are currently working on excluding DC's from this recommendation. We will update our public docs to include remediation steps for device accounts and the recommendation title will be changed as well. All will be available by the beginning of next week.1KViews4likes8CommentsRe: Secure Score - Accounts with non-default Primary Group ID
micheleariis This is a new security posture report we've released a few days ago. The report contains entities with a non-default primary group id that may indicate of an attacker attempt to escalate privileges subtly, bypassing standard audits for group membership changes. We will raise a report if the primary group id of an account is not one of the defaults, or the primary group id is different from the group that considered as primary. If that not the case, please open a support ticket so we can investigate the issue.727Views0likes4CommentsRe: ATP Legacy portal to defeder > missing events in timeline
kinanoman The user timeline in M365D portal contains group membership activities such as adding/removing the user from an AD group. Additionally, you can use Advanced hunting to find a group related activities from the last 30 days. For example, the query below presents group membership activities. I can share that we are working on creating a full group page, including a timeline of related activities and alerts, which will be available in the next coming months. IdentityDirectoryEvents | where ActionType == 'Group Membership changed' | extend ToGroup = tostring(parse_json(AdditionalFields).['TO.GROUP']) // Extracts the group name if action is add enity to a group. | extend FromGroup = tostring(parse_json(AdditionalFields).['FROM.GROUP']) // Exracts the group name if action is remove entity from a group. | extend GroupMembershipAction = iff(isempty(ToGroup), 'Remove', 'Add') // Calculates if the action is Remove or Add | extend GroupSidtoAddTo = tostring(parse_json(AdditionalFields).['TO.GROUP_SID']) | extend GroupSidtoRemoveFrom = tostring(parse_json(AdditionalFields).['FROM.GROUP_SID']) | extend GroupModified = iff(isempty(ToGroup), FromGroup, ToGroup) // Group name that the action was taken on | extend GroupModifiedSid = iff(isempty(GroupSidtoAddTo), GroupSidtoRemoveFrom, GroupSidtoAddTo) | extend Actor = tostring(parse_json(AdditionalFields).['ACTOR.ACCOUNT']) // Extract the actor account name who performed the action | extend TargetUser = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.USER']) | extend TargetDevice = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.DEVICE']) | extend TargetGroupToAddRemove = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.GROUP']) // Extracts the group name if action is add/remove group entity to/from a group. | extend Target_Group_Sid_Directory = iff((isnotempty(GroupSidtoRemoveFrom)), GroupSidtoRemoveFrom, GroupSidtoAddTo) | extend TargetAccount = case ( isnotempty(TargetUser), TargetUser, isnotempty(TargetDevice), TargetDevice, TargetGroupToAddRemove ) | extend TargetType = case ( isnotempty(TargetUser), 'User', isnotempty(TargetDevice), 'Device', 'Group' ) | project Timestamp, ActionType, GroupMembershipAction, GroupModified, GroupModifiedSid, TargetType, DC=DestinationDeviceName, Actor, ActorDomain=AccountDomain, AdditionalFields | order by Timestamp desc576Views0likes0CommentsRe: ATP Legacy portal to defeder > missing events in timeline
Fabrice LAIR The user timeline in M365D portal contains the same activities as in the legacy portal. By filtering the Application, you can focus on activities from AD or AAD and we are currently working on improving entries information. I will be happy to hear more regarding the timeline experience.3.9KViews0likes4CommentsRe: ATP Legacy portal to defeder > missing events in timeline
Hi tony87, I'm Lior from the product group. I've reviewed your survey responses and tried contacting you by mail on June 3rd without success. If you didn't receive my email, please send me a private message to t-lshapira@microsoft.com so we can discuss your concerns regarding the redirection.4.2KViews0likes6CommentsRe: Old ATP portal - activities overview
AraDill The defender for identity experience is converged into the Microsoft 365 Defender portal, with that, we feel that the information contained in the classic portal experience can now be presented in a more unified manner, aligned with the additional defender workload, such as unified alert and incident queue, advanced hunting and Secure Score recommendations. Please take a few minutes to share with us which functionality you feel is missing: https://aka.ms/MdiRedirectionSurvey2.3KViews1like0CommentsRe: ATP Legacy portal to defeder > missing events in timeline
erregei In M365D portal, on the identity page you can find the timeline tab. It represents activities and alerts that the user was involved in. There's still work and improvements to the timeline such as extra filters, more details about each activity, export button and so on. Regarding redirection to M365D portal, you are correct. You can still manually disable the automatic redirection, but from June 30, there will be a forced redirection. If you feel that there are important missing features, please let me know: t-lshapira@microsoft.com5.6KViews0likes1Comment
Recent Blog Articles
Scope Identity Protection with Defender for Identity is Now Generally Available
I am excited to announce the general availability (GA) of domain-based scoping for Active Directory within Microsoft Defender for Identity. This is a foundational step in extending role-based access ...2.9KViews0likes1CommentSecuring Identities: 10 recommendations for building a stronger identity security posture
Attack strategies are constantly evolving, your identity security posture should too. Microsoft Defender for Identity is a core part of Microsoft Defender XDR and is specifically focused on helping c...3.7KViews4likes0CommentsProtect and Detect: Microsoft Defender for Identity Expands to Entra Connect Server
We are excited to announce a new Microsoft Defender for Identity sensor for Entra Connect servers. This addition is a significant step in our ongoing commitment to expanding Defender for Ident...27KViews12likes8CommentsLeveraging the convergence of Microsoft Defender for Identity in Microsoft 365 Defender Portal
The Microsoft Defender for Identity portal experience and functionality have been converged into Microsoft’s extended detection and response (XDR) platform, Microsoft 365 Defender. Explore the...18KViews3likes2Comments
