Requirements
6 TopicsDefender pre-reqs - ports.
Hi We are running through the pre-reqs and unsure what exactly is required for the firewall section and allowing the ports:https://learn.microsoft.com/en-us/defender-for-identity/prerequisites#ports Particularly the to column: Protocol Transport Port From To Internet ports SSL (*.atp.azure.com) TCP 443 Defender for Identity sensor Defender for Identity cloud service Internal ports DNS TCP and UDP 53 Defender for Identity sensor DNS Servers Netlogon (SMB, CIFS, SAM-R) TCP/UDP 445 Defender for Identity sensor All devices on network RADIUS UDP 1813 RADIUS Defender for Identity sensor Localhost ports* Required for Sensor Service updater SSL (localhost) TCP 444 Sensor Service Sensor Updater Service NNR ports** NTLM over RPC TCP Port 135 Defender for Identity sensor All devices on network NetBIOS UDP 137 Defender for Identity sensor All devices on network RDP TCP 3389, only the first packet of Client hello Defender for Identity sensor All devices on network Any ideas? ThanksSolved2.9KViews0likes2CommentsBest practice for Microsoft Defender for Identity
Dear Team, I have installed Azure ATP Sensor for MDI in the domain controller (AD) already, but I don't know the best practice on how to configure it in MDI. Could you help to share best practices to configure MDI? Best Regards, Ravoth2.8KViews0likes3CommentsPermissions required for the DSA Account - Missing the revoking of the 'ownership' in the script
Hi All, Referring to the following step of the Directory services account permission assignment, after obtaining the ownership permissions of the 'Deleted objects' container ACL, it just left as is? How do we revoke this properly? # Take ownership on the deleted objects container: $params = @("$deletedObjectsDN", '/takeOwnership') C:\Windows\System32\dsacls.exe $params Ref -Directory Service account recommendations - Microsoft Defender for Identity | Microsoft LearnQuestion on configuring SAM-R to enable lateral movement path detection
Hey Defender Peeps, Referring to this KB from MS -Configure SAM-R to enable lateral movement path detection - Microsoft Defender for Identity | Microsoft LearnSeeking some advice on "configuring SAM-R to enable lateral movement path detection in Microsoft Defender for Identity". Customer don't currently have the"Network access - Restrict clients allowed to make remote calls to SAM"policy defined within their environment, and unsure of the implication of doing so – assume by enabling the policy across their domain (excluding Domain Controllers) and adding the Directory Service account with Remote Access, any other accounts currently making remote calls to SAM will start failing?. The MS documentation around the policy setting itself mentions the ability to configure audit-only mode for the change, but applying that across the PROD environment means we'd be needing to look for 8 different event IDs across every server/workstation in every domain in order to figure out what other accounts are making remote calls to SAM and what (i.e. it will take a significant amount of time). Can someone advise what Best Practice would be followed for enabling the policy/what accounts should be added in addition to the Directory Service account? Any thoughts/advises are highly appreciated Thank you !!2.4KViews0likes2CommentsDefender for Identity Sensor Sizing for ADFS
Howdy Folks! Is there any way of sizing the AD FS servers for sensor installation? I'm guessing the Sizing tool we have is just for the Domain Controllers, not for AD FS servers. Should I stick to general recommendations (minimum of 2 cores and 6 GB of RAM) ? or is there any specifics for AD FS ? I've tried to dig in through documentation but nothing specified by Microsoft on this regard. Appreciate your advise! Thank you!Defender for Identity sensor high severity alert
MDI sensor is generating a high severity alert stating " A health issue occurred Sensor received more windows events than they can process resulting in some events not being analyzed While I checked MS docs for the possible cause I got this: "Verify that only required events are forwarded to the Defender for Identity sensor or try to forward some of the events to another Defender for Identity sensor" But I am not able find a way to verify this. If anyone has faced similar issue I wanted to know the possible solutions for the same. Thanks in advance1.5KViews0likes1Comment