User Profile
NinjaKitty
Brass Contributor
Joined Aug 21, 2020
User Widgets
Recent Discussions
Suspected Golden Ticket usage (time anomaly) false positive
We are currently evaluating Windows Hello. Since then we have regularly received the following defender identity warning for our testgroup only: Suspected Golden Ticket usage (time anomaly). The alert also says that "Due to insufficient source data, the default maximum user ticket lifetime (2 hours) has been applied." Our ticket lifetime is set to 10 hours. Can someone help me with this. NinjaKitty2.7KViews0likes2CommentsHow does MDI monitor DNS Requests?
Hello, the https://learn.microsoft.com/en-us/defender-for-identity/monitored-activities#monitored-user-activities-domain-controller-based-user-operations documentation states that MDI monitors all DNS requests that are performed against the domain controller. I wonder how this is done. Via event logs or DNS log file or ... ? Is there perhaps a blog article on how MDI works under the hood? Cheers MartinSolvedRe: Diffrent results in Defender Activity Log and Advanced Hunting
LiorShapira Screenshots were taken last friday. I added 3 days since its monday now. Interestingly, the advanced hunting results have changed. Now there are entries from november 25. which were not visible last friday. But the numbers still don't compare. 136 to 147 Could that be a delay in transfer to the advanced hunting database? Some entries are still missing1.9KViews0likes4CommentsDiffrent results in Defender Activity Log and Advanced Hunting
Hello there, we have Defender Identity Sensors running on our Domain Controllers. When I query login results by using Activity Log and Advanced Hunting, i get diffrent result. The device ist our ADFS server. What am i missing here? thank you martinSolved2.2KViews0likes6CommentsMDI loggs only few DNS queries
hi, we depoyed MDI on our four DCs. Everything seems to work. Events are comming in, alerts are beeing generated. Yesterday I digged into DNS queries and it seems, as if only a few querys are logged by MDI. My expectation is, that every DNS query should be visible in MDI. cheers kitty1.1KViews0likes1CommentMDE Linux Security Recommendation
Hi everyone, I just installed MDE one a linux (Debian 11) test server. Detection and Timeline are working fine. According to this article security recommendation should also work with linux. But the page in the portal is empty. Did i miss something? Secure configuration assessment for macOS and Linux now in public preview - Microsoft Tech Community healthy : true health_issues : [] licensed : true engine_version : "3.0" app_version : "101.62.74" org_id : deleted log_level : "info" machine_guid : deleted release_ring : "Production" product_expiration : Dec 13, 2022 at 06:10:49 AM cloud_enabled : true cloud_automatic_sample_submission_consent : "safe" cloud_diagnostic_enabled : false passive_mode_enabled : false real_time_protection_enabled : true real_time_protection_available : true real_time_protection_subsystem : "fanotify" supplementary_events_subsystem : "auditd" tamper_protection : "disabled" automatic_definition_update_enabled : true definitions_updated : Apr 25, 2022 at 03:33:50 PM definitions_updated_minutes_ago : 154 definitions_version : "87718" definitions_status : "up_to_date" edr_early_preview_enabled : "disabled" edr_device_tags : [] edr_group_ids : "" edr_configuration_version : deleted edr_machine_id : deleted conflicting_applications : [] network_protection_status : "stopped"Solved1.8KViews0likes1CommentOffice 365 Threat Intelligence connection insufficient rights
Since today Defender Security Center lets me know, that the Office 365 Threat Intelligence connection is pending because insufficient rights. Even though my account is global admin and security administrator. Am I doing something wrong here?Solved9.1KViews0likes17CommentsUnsecure Kerberos delegation still visible after mitigation
Hello, Azure ATP noticed some accounts with unsecure Kerberos delegation. We deleted the affected accounts in active directory. Actually the warning should disapere after that but is still visible. I dont unterstand.Solved2KViews1like7Comments
Recent Blog Articles
No content to show