User Profile
Martin_Schvartzman
MicrosoftJoined 7 years ago
User Widgets
Recent Discussions
Re: KQL query to check tri.sensor for MDI
zlate81 You can use the sensor and healthIssues Graph APIs to pull and manage the sensors and health issues. See these for more details: https://learn.microsoft.com/en-us/graph/api/security-identitycontainer-list-sensors?view=graph-rest-1.0&tabs=http https://learn.microsoft.com/en-us/graph/api/security-identitycontainer-list-healthissues?view=graph-rest-1.0&tabs=http131Views0likes0CommentsRe: Error create instance Defender for identity
This can happen when your tenant was onboarded to MDI in the past, and the workspace was deleted (due to license expiration and retention expiration, or deleted manually through a support ticket). The error message displayed in the portal contains a link to the instructions on what to do to fix the issue: https://go.microsoft.com/fwlink/?linkid=224631315KViews1like0CommentsRe: Cannot install the sensor on Windows Server 2022 server core
TherealKillerbe Assuming the missing closing double quotes at the end of the command line is just a copy paste issue, then there must be a log in the temp folder. Check the user's temp folder ($env:temp) for log files named "Azure Advanced Threat Protection Sensor_00000000000000" (zeros represent a yyyyMMddHHmmss timestamp). See this for more details: Troubleshooting the sensor using logs - Microsoft Defender for Identity | Microsoft Learn1.1KViews0likes1CommentRe: MDI - NNR - blocking NNR for networks with unmanaged and untrusted endpoints - exclusions
Anwar Mahmood Don't use the exclusions for this, as it would exclude the detections for that IP range. We have an option to exclude an IP and/or range from NNR. But you'll need to open a support ticket for that, as it's something that needs to be configured in the backend.1.6KViews0likes0CommentsRe: API for Defender for Identity Portal
lorisAmbrozzo The public APIs for MDI were unfortunately postponed again. The 1st phase was supposed to include health issues management, then sensor management, tagging and response action was supposed to be ready by CY24Q1. I don't know yet how long the delay will be, as the R&D group is based in Israel. This is the roadmap item you can use to track this feature: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=1698765KViews0likes0CommentsRe: How to install Microsoft Defender for Identity
Linas Snarskis I think there's a mix-up here. If you are getting the ITDR deployment tile in the Microsoft 365 Defender portal suggesting that you should deploy MDI, then you don't need to buy any new licenses. You already have them. If you don't see the Identities section under settings, it means that your account doesn't have the minimum permissions (Security Admin) to start the onboarding.2.4KViews1like3CommentsRe: Domain Controllers - Sensor has issues with packet capturing component
MattBlanton I suggest you open a support case; they will help you identify the issue. My guess is that there was a prior version of winpcap/npcap when you installed the sensor, so it skipped installing and configuring npcap. This can be determined by the alert severity: Low = winpcap is installed Medium = npcap 0.x is installed High = npcap >= 1.0 is installed, but with not with the required configuration See https://learn.microsoft.com/en-us/defender-for-identity/health-alerts#sensor-has-issues-with-packet-capturing-component2.5KViews0likes0CommentsRe: Licensing - Limit Defender for Identity to certain users
Robin_Inderberg MDI provides security value (posture, detection, investigation, response, etc.) to the entire organization or domain, rather than provide a specific capability to specific users or groups. As a result, it's not possible to scope the deployment or licensing to just part of the organization. This is actually a good thing, since attackers could come from outside the scope of any given user or group, and MDI needs to be able to detect and prevent such attacks regardless of their origin. By providing security value to the entire organization, MDI helps ensure that the entire organization is protected from a wide range of potential threats.3.8KViews0likes4CommentsRe: New card about "ITDR Deployment Health" showing in Microsoft 365 Defender's home dashboard
Jose Camacaro Latouche If you are not interested in MDI for AD on-prem, you can disregard this notification. It is showing because you have licenses for MDI but don't have an active workspace with reporting sensors.2.7KViews1like0CommentsRe: Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script
Curious_Kevin16 Yes, you can keep the ownership of the deleted object container. It has no impact on the permissions. If you want to remove the permissions you assigned, you can run the following two 2 lines instead of the two prior ones: $params = @("$deletedObjectsDN", '/R', $Identity) C:\Windows\System32\dsacls.exe $params I'll update the public documentation to include them as well.1KViews1like0CommentsRe: Domain Controllers - Sensor has issues with packet capturing component
MattBlanton The 'Sensor has issues with packet capturing component' health alert can mean several things. It could be that you are still using the winpcap driver, you have an old version of npcap (less than 1.0), or the npcap installation doesn't contain the settings we require. See https://learn.microsoft.com/en-us/defender-for-identity/health-alerts#sensor-has-issues-with-packet-capturing-component for more details on each. The probable best solution would be to remove the sensor, remove any winpcap or npcap installations (please verify first that you don't need them for a different software installed on the server), and thein reinstall the sensor package. It will take care of the capturing component installation and configuration. EliOfek for vis.2.7KViews1like2Comments
Recent Blog Articles
Introducing the new PowerShell Module for Microsoft Defender for Identity
Today, I am excited to introduce a new PowerShell module designed to help further simplify the deployment and configuration of Microsoft Defender for Identity. This tool will make it easier than ever...37KViews17likes17Comments
