logging
11 TopicsDeploying MDI to multiple On-premise DC for monitoring purposes
Hello, When deploying MDI to all my on-premise domain controllers for monitoring purposes. Do I need to add new sensors for each dc? or can I use the package and access key from one sensor to all my dc's? Thank you!Solved659Views0likes2CommentsATP Sensor service is continuously trying to start but stops itself
Hello Techies, I've installed ATP Sensor across multiple DCs and it was completed successfully. However, the service is continuously trying to start and stop itself on every machine it's been installed on, with the following error message appearing in the Microsoft.Tri.Sensor-Errors log: Error ExceptionHandler Microsoft.Tri.Infrastructure.ExtendedException: RestrictCpuAsync failed, exiting ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace --- at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task Microsoft.Tri.Common.CommunicationWebClient.SendAsync(IVoidRequest request) at async Task Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync(IVoidRequest request) at async Task Microsoft.Tri.Sensor.SensorResourceManager.RestrictCpuAsync() --- End of inner exception stack trace --- Has anyone came across this issue? Really appreciate any pointers here. Thank you!Solved2.8KViews0likes6CommentsHow does MDI monitor DNS Requests?
Hello, the Microsoft Learndocumentation states that MDI monitors all DNS requests that are performed against the domain controller. I wonder how this is done. Via event logs or DNS log file or ... ? Is there perhaps a blog article on how MDI works under the hood? Cheers MartinSolvedDFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in theIdentityQueryEvents schema table if I have DFI enabled? This doc - Understand the advanced hunting schema - states theIdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in theDeviceNetworkEvents schema table.GMSA account accessing server apps
We have deployed Microsoft Defender for Identity on our tenant, and we have questions about why the GMSA is connecting to different app servers and IPs. We would like to understand why this is happening. SAMR is not implemented yet. Please let me know if more information is needed.Solved2.2KViews0likes6CommentsNo alerts getiing displayed ( DEFENDER FOR IDENTITY )
Hi, so i've recently setup the senor on DC and the status is healthy and running and i'm also able to recieve the test syslog on my SIEM, but i'm not getting any actual alerts on my SIEM or on the Cloud apps portal under the alerts and yes i;ve enabled the cloudapp - identity integration. What could be the issue ? Or How long does it takes for the alerts to actually get displayed once the sensor is deployed ?MS Defender for Identity to SIEM
I know that I can forward our MS Defender for Identity logs to asyslog server for our SIEM to ingest/monitor. Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM? I also found that currently there is no public API for DFI unfortunately.Solved2.9KViews0likes4CommentsIs Streaming API Free to Use?
I would like to use the Streaming API in the link detailed below https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide However, I can't seem to find if this is a paid additional feature or not. Our business has the Enterprise O365 security stack but wasn't sure if this was an additional cost. Can anyone confirm if Streaming API is a paid feature or not?749Views0likes0CommentsQueries on Microsoft Azure ATP
Hi, I am going to start a new deployment of Azure ATP for one of my customer. I am aware of how Microsoft ATA works but there are few things which are different in Microsoft Azure ATP when compared Microsoft ATA. I have a few queries for which I am trying to get some answers. I tried searching the official documentation of Microsoft created for Azure ATP but I am unable to find the answers for my queries in it. Below are my queries pertaining to Azure ATP: 1) Can I modify the certificate used by Azure ATP to establish the secure connection between ATP portal and Sensor like in Microsoft ATA? If yes, where can I do so? 2) What is the certificate used for TLS (Secured Syslog) for Splunk integration with the Syslog server? I need to install the certificate on my Splunk for secured communication with the Dedicated Sensor. 3) What is the database used by Azure ATP? Like in Microsoft ATA, as we all know it is MongoDB. Likewise I would like to know what is used for Azure ATP? Is it the same DB? 4)How long are the alerts stored in the Azure ATP cloud service? When does the log/alerts start purging due to excessive logging? Incase of Microsoft ATA, the logs/alerts start purging when the dedicated storage for logging gets exhausted. 5)Under the Syslog settings, if I configure one Sensor for forwarding the alerts to Splunk, will it forward only the alerts generated on that specific ATP Sensor to the Splunk or will it forward all the alerts generated on all the ATP Sensors in my domain to the Splunk? Would be nice if someone provide the answers for my above queries or share me the document which would contain the answer for my queries.2.5KViews0likes3Comments