User Profile

NinjaKitty

Brass Contributor

Joined Aug 21, 2020

23 Posts1 LikeLikes received1 Solution

View All Badges

User Widgets

Recent Discussions

Suspected Golden Ticket usage (time anomaly) false positive
We are currently evaluating Windows Hello. Since then we have regularly received the following defender identity warning for our testgroup only: Suspected Golden Ticket usage (time anomaly). The alert also says that "Due to insufficient source data, the default maximum user ticket lifetime (2 hours) has been applied." Our ticket lifetime is set to 10 hours. Can someone help me with this. NinjaKitty
Nov 21, 2023 Place Microsoft Defender for Identity
2.7KViews
0likes
2Comments
Re: How does MDI monitor DNS Requests?
Thank you for your reply. I will have my colleagues check these.
May 08, 2023 Place Microsoft Defender for Identity
3.5KViews
0likes
1Comment
Re: How does MDI monitor DNS Requests?
That is interessting. What could be wrong if it doesnt or rather does only get a few of all DNS queries? (not standalone)
Mar 23, 2023 Place Microsoft Defender for Identity
4KViews
0likes
3Comments
Re: How does MDI monitor DNS Requests?
Can you help me out on this one Martin_Schvartzman ?
Mar 09, 2023 Place Microsoft Defender for Identity
4.1KViews
0likes
5Comments
How does MDI monitor DNS Requests?
Hello, the https://learn.microsoft.com/en-us/defender-for-identity/monitored-activities#monitored-user-activities-domain-controller-based-user-operations documentation states that MDI monitors all DNS requests that are performed against the domain controller. I wonder how this is done. Via event logs or DNS log file or ... ? Is there perhaps a blog article on how MDI works under the hood? Cheers Martin
Solved
Mar 09, 2023 Place Microsoft Defender for Identity
identity protection
logging
Sensor
4.5KViews
0likes
7Comments
Re: MDI loggs only few DNS queries
I tested all four DCs with nslookup requests. They are not visible in the IdentityQueryEvents table. What am I missing?
Mar 06, 2023 Place Microsoft Defender for Identity
761Views
0likes
0Comments
Re: Diffrent results in Defender Activity Log and Advanced Hunting
Thank you Lior
Dec 07, 2022 Place Microsoft Defender for Identity
1.8KViews
0likes
0Comments
Re: Diffrent results in Defender Activity Log and Advanced Hunting
Changing the query does not make any diffrence. But if I run my querys now, the result match. Could there be delay in the data transfer? Do Advanced Hunting and Activity Log use diffrent databases?
Dec 06, 2022 Place Microsoft Defender for Identity
1.9KViews
0likes
2Comments
Re: Diffrent results in Defender Activity Log and Advanced Hunting
LiorShapira Screenshots were taken last friday. I added 3 days since its monday now. Interestingly, the advanced hunting results have changed. Now there are entries from november 25. which were not visible last friday. But the numbers still don't compare. 136 to 147 Could that be a delay in transfer to the advanced hunting database? Some entries are still missing
Nov 28, 2022 Place Microsoft Defender for Identity
1.9KViews
0likes
4Comments
Diffrent results in Defender Activity Log and Advanced Hunting
Hello there, we have Defender Identity Sensors running on our Domain Controllers. When I query login results by using Activity Log and Advanced Hunting, i get diffrent result. The device ist our ADFS server. What am i missing here? thank you martin
Solved
Nov 25, 2022 Place Microsoft Defender for Identity
2.2KViews
0likes
6Comments
MDI loggs only few DNS queries
hi, we depoyed MDI on our four DCs. Everything seems to work. Events are comming in, alerts are beeing generated. Yesterday I digged into DNS queries and it seems, as if only a few querys are logged by MDI. My expectation is, that every DNS query should be visible in MDI. cheers kitty
Apr 29, 2022 Place Microsoft Defender for Identity
1.1KViews
0likes
1Comment
Re: MDE Linux Security Recommendation
Problem solved itself. I just haven't waited long enough.
Apr 26, 2022 Place Microsoft Defender for Endpoint
1.8KViews
0likes
0Comments
MDE Linux Security Recommendation
Hi everyone, I just installed MDE one a linux (Debian 11) test server. Detection and Timeline are working fine. According to this article security recommendation should also work with linux. But the page in the portal is empty. Did i miss something? Secure configuration assessment for macOS and Linux now in public preview - Microsoft Tech Community healthy : true health_issues : [] licensed : true engine_version : "3.0" app_version : "101.62.74" org_id : deleted log_level : "info" machine_guid : deleted release_ring : "Production" product_expiration : Dec 13, 2022 at 06:10:49 AM cloud_enabled : true cloud_automatic_sample_submission_consent : "safe" cloud_diagnostic_enabled : false passive_mode_enabled : false real_time_protection_enabled : true real_time_protection_available : true real_time_protection_subsystem : "fanotify" supplementary_events_subsystem : "auditd" tamper_protection : "disabled" automatic_definition_update_enabled : true definitions_updated : Apr 25, 2022 at 03:33:50 PM definitions_updated_minutes_ago : 154 definitions_version : "87718" definitions_status : "up_to_date" edr_early_preview_enabled : "disabled" edr_device_tags : [] edr_group_ids : "" edr_configuration_version : deleted edr_machine_id : deleted conflicting_applications : [] network_protection_status : "stopped"
Solved
Apr 25, 2022 Place Microsoft Defender for Endpoint
1.8KViews
0likes
1Comment
Re: Office 365 Threat Intelligence connection insufficient rights
TechUser152 The error message is gone for me now. Happy Holidays!
Dec 21, 2020 Place Microsoft Defender for Endpoint
7.9KViews
0likes
3Comments
Re: Office 365 Threat Intelligence connection insufficient rights
TechUser152 can you share the reason for the issue? For me the connections is still "pending".
Dec 18, 2020 Place Microsoft Defender for Endpoint
8KViews
0likes
5Comments
Re: Office 365 Threat Intelligence connection insufficient rights
TechUser152 The error still persists. Premium support would be a good idea for us too.
Dec 17, 2020 Place Microsoft Defender for Endpoint
8.2KViews
0likes
8Comments
Office 365 Threat Intelligence connection insufficient rights
Since today Defender Security Center lets me know, that the Office 365 Threat Intelligence connection is pending because insufficient rights. Even though my account is global admin and security administrator. Am I doing something wrong here?
Solved
Dec 09, 2020 Place Microsoft Defender for Endpoint
9.1KViews
0likes
17Comments
Re: Unsecure Kerberos delegation still visible after mitigation
That was it. Thank you very much. Sorry for late reply. I had trouble logging into techcommunity with my federated account.
Dec 09, 2020 Place Microsoft Defender for Identity
1.7KViews
0likes
0Comments
Re: Unsecure Kerberos delegation still visible after mitigation
Or Tsemah The accounts are still marked as "active" in AATP even though they are deleted in active directory.
Sep 10, 2020 Place Microsoft Defender for Identity
1.9KViews
0likes
5Comments
Unsecure Kerberos delegation still visible after mitigation
Hello, Azure ATP noticed some accounts with unsecure Kerberos delegation. We deleted the affected accounts in active directory. Actually the warning should disapere after that but is still visible. I dont unterstand.
Solved
Sep 09, 2020 Place Microsoft Defender for Identity
2KViews
1like
7Comments

Recent Blog Articles

No content to show