SAMR Queries from specific server (not computer)
Hi, One of my servers show in ATA multiple SAMR queries (see attached screen-shot). It's happening at the beginning of each our as can be seen (3:13pm, 2:13pm, etc.) Which process/network activity should I check in the server (if there is no scheduled task) ? Thank you.
Reconnaissance using Directory Services queries
Hi, I observe SAMR queries from some servers and desktops to Domain controller for various user accounts. So whenever it's a admin account it triggers the Reconnaissance using Directory Services queries alert on ATA(Microsoft Advanced Threat Analytics). For the investigation I tried to use https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide but not sure how to investigate the below? Are such queries supposed to be made from the source computer in question? What can be the legitimate cases for SAM-R queries ? Note : This is not related to Lenovo issue with SAMR or WaAppAgent.exe Thanks,
microsoft windows defender 11
Buenas tardes, comunidad microsoft, acudo a este foro porque me encuentro sumamente preocupado, desde hace algunas semanas windows defender me notifica con una alerta amarilla, y me indica que debo realizar acciones para la seguridad del computador, Sin embargo he realizado las acciones correspondientes y no encuentro solucion. La ultima advertencia que me indica es la seccion " reputation based-protection" de windows defender,intento solucionar pero no consigo nada.Temo que sea un virus que se encuentre realizando acciones peligrosas. Consulto si este problema es de Microsoft o solamente es de mi notebook, muchas gracias por la ayuda.Product feedback for Defender for Identity
Hi all, We would love for you to share your thoughts, feedback, and experiences using Defender for Identity. You can share them on Gartner Peer Insights by using this link. Your review will help us get the word out and continue to improve our solution. If you're asked to create an account, please be aware that this is to ensure the legitimacy of the review, and Microsoft will not be given any information on the folks who've submitted reviews, positive or otherwise. Defender for Identity doesn't have any reviews at the moment, so I'd love to see us populate this using the input from this community. I'm always impressed with the feedback we get through these channels. And if you have any questions or comments, let me know!
Defender for Identity sensor high severity alert
MDI sensor is generating a high severity alert stating " A health issue occurred Sensor received more windows events than they can process resulting in some events not being analyzed While I checked MS docs for the possible cause I got this: "Verify that only required events are forwarded to the Defender for Identity sensor or try to forward some of the events to another Defender for Identity sensor" But I am not able find a way to verify this. If anyone has faced similar issue I wanted to know the possible solutions for the same. Thanks in advance
Create an alert on "Failure message: Strong Authentication is required"
Hi, I would like to create an alert on "Failure message: Strong Authentication is required" when client IP is not from "France". My idea is to find users whose password has been stolen, but where the attacker has no knowledge of MFA/TOTP. I chose the following filter: But I dont find how to filter only "Failure message: Strong Authentication is required" and after I would like to create policy on it. Thank for you help! Regards, LionelDNS Reconnaissance activity not getting logged
Hi, I have successfully deployed the ATP Sensors on my environment today. I am trying to test the setup using the Reconnaissance Playbook but unfortunately, I am not receiving any alerts pertaining to Reconnaissance (Network-mapping or Directory-services). When I read through to the document, it says that the Azure ATP suppresses the alerts from the suspicious activity log for a learning period of 8 days (Network-mapping) and 30 days (Directory-services), post which, the portal would start invoking those alerts that it suppressed. But in my case, I do not find any Reconnaissance alerts getting either suppressed or even generated at all (I checked on both the general timeline and source user/machine timeline). Hence wanted to check, if there is something that I am missing or should I wait for a period of minimum 8 days to start my testing. FYI, I tested the Honeytoken account activity and I received the alert for the same on the Azure ATP console while accessing my PC using that Honeytoken account. Thank you.
