Investigations
7 TopicsDetecting service account provisioning
Hi all I'm doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I'm trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve 1.) Raise an alert when a domain account is granted the "Logon as a Service" right on any machine. 2.) When an account that has never logged on as service suddenly does so. 3.) Perhaps detect when a user account's ServicePrincipalName attribute is populayed or updated. So the service account logon query looks like this: DeviceLogonEvents | where Timestamp >= ago(30d) | where LogonType == "Service" or LogonType == "Batch" | where AccountDomain =~ "saica" | summarize count() by AccountName, DeviceName, LogonType | sort by count_ desc The other ones seem to be a bit trickier. Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs.Exclusions for Network Name Resolution
Hi all, I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot that has no connection to the AD. Furthermore, according to the firewall, the sensors "scan" in larger packets, which in turn causes the firewall to alert. Does anyone know if it is possible to exclude certain IPs or ranges from the scan and is there any documentation on how the process works in detail? Thanks in advanceSolved1.1KViews0likes4CommentsMissing alerts from MDI, suspicious additions to sensitive groups
Hi there! Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups. What I can say is that we don't have any exclusions on that rule in MDI but still we had new members in one group without any alert. Can see the additions in the legacy portal (portal.atp.azure.com) but not classified as suspicious for some reason, meanwhile another addition to the same group raised an alert the day after. What can be the issue and how can make it so that it does not happen again?Solved3.8KViews0likes10CommentsQuestion on configuring SAM-R to enable lateral movement path detection
Hey Defender Peeps, Referring to this KB from MS -Configure SAM-R to enable lateral movement path detection - Microsoft Defender for Identity | Microsoft LearnSeeking some advice on "configuring SAM-R to enable lateral movement path detection in Microsoft Defender for Identity". Customer don't currently have the"Network access - Restrict clients allowed to make remote calls to SAM"policy defined within their environment, and unsure of the implication of doing so – assume by enabling the policy across their domain (excluding Domain Controllers) and adding the Directory Service account with Remote Access, any other accounts currently making remote calls to SAM will start failing?. The MS documentation around the policy setting itself mentions the ability to configure audit-only mode for the change, but applying that across the PROD environment means we'd be needing to look for 8 different event IDs across every server/workstation in every domain in order to figure out what other accounts are making remote calls to SAM and what (i.e. it will take a significant amount of time). Can someone advise what Best Practice would be followed for enabling the policy/what accounts should be added in addition to the Directory Service account? Any thoughts/advises are highly appreciated Thank you !!2.4KViews0likes2CommentsMissing features in Security portal
With the Azure ATP portal we where able to do a lot more of investigation for on premises actions. We are in a large hybrid environment. Is there a way to access the old portal to get back that timeline for a user? The things we are missing out on currently that we found are the following: Password resets, where able to see that easy at the users timeline. Users being added to or removed from groups and who did it Failed logins to on premises resources You can no longer search for groups Can't export the same data as in the ATP portal. Some of us used this daily and are having trouble to figure out how to get the correct information now. I'm aware that we can see some of those things in the users audit logs for example but would be nice to be able to see it in the timeline as before.SolvedGenerating alerts in test lab
Hi All, I have set myself up a Defender test lab and I have my DC connected to Defender for Identity and I have 2 user machines that are onboarded to Defender for Endpoint. I also have all the relevant integrations in place with Azure Sentinel also configured. I am looking to start generating alerts by using various tools on my machines to recreate the kind of activity that would require investigation Does anyone know of any resources/guides that can teach me how to begin to perform activities that would generate these alerts. Like Lateral Movement and LDAP reconnaissance etc?1.5KViews0likes1Comment