microsoft 365 defender

42 Topics

Veeam Backup and Replication v11 warning / User changes
Hi everyone, i recently migrated from ATA to MDI and have 2 questions. In ATA we could see what a helpdesk worker did to a user account (added to group, changed end date etc). In MDI it seems like we do not get this information. I have set all the Eventlog and audit rights to the DCs and Domain. Also i get the warning about Veeam B&R with Remote Code execution. How can i built a "least privilege" exclusion on this warning? A user attempted to execute VeeamVssSupport (C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe) on 2 domain controllers via SvcCtl. The remote execution succeeded. I do not want to exclude the whole backupservers for this warning or even the domain controllers as "destination". Is there also a possiblity to exclude a file? Best regards Stephan
Solved
StephanGee
Mar 03, 2023 Place Microsoft Defender for Identity
5.4KViews
0likes
8Comments
Remediating - Stop Weak Cipher Usage
Description Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade. Under Exposed Identities it shows Protocol Kerberos and Cipher Rc4HMac. Attempted resolution: In AD - set "This account supports Kerberos AES 256 bit encryption". (and turned on 128 bit) It has been several days and the vulnerability is not clearing for any accounts. I also applied a GPO to all workstations: Policy Setting Network security: Configure encryption types allowed for Kerberos Enabled DES_CBC_CRC Disabled DES_CBC_MD5 Disabled RC4_HMAC_MD5 Disabled AES128_HMAC_SHA1 Enabled AES256_HMAC_SHA1 Enabled Future encryption types Enabled Any other suggestions?
JG-Burke
Oct 13, 2022 Place Microsoft Defender for Identity
5KViews
0likes
2Comments
Password recommendations
Hello DFI community ! I'm reviewing some Identity-related recommendations about accounts and passwords. Let's focus on the following: Remove the attribute 'password never expires' from accounts in your domain Manage accounts with passwords more than 180 days old Do not expire passwords Achieving these 3 recommendations at the same time in hybrid environment for all types of accounts (user account, service account) seems a bit challenging and counterintuitive. If we disable password rotation policies in AD DS and set passwords to not expire in the 365 org's settings, user accounts will show up in the recommendations #1 and #2 after a while...If we don't, then the #3 recommendation pops-up. How can we combine features such as Azure Identity Protection/Conditionnal Access, Password Protection, Managed Identities, s/gMSA accounts to make all this work ? I'm a bit confused...What am i missing ? Any help would be much appreciated.
Chris_BYSA
Aug 21, 2023 Place Microsoft Defender for Identity
4.1KViews
0likes
2Comments
Missing alerts from MDI, suspicious additions to sensitive groups
Hi there! Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups. What I can say is that we don't have any exclusions on that rule in MDI but still we had new members in one group without any alert. Can see the additions in the legacy portal (portal.atp.azure.com) but not classified as suspicious for some reason, meanwhile another addition to the same group raised an alert the day after. What can be the issue and how can make it so that it does not happen again?
Solved
denkajohansson
Apr 20, 2023 Place Microsoft Defender for Identity
4.1KViews
0likes
10Comments
Defender pre-reqs - ports.
Hi We are running through the pre-reqs and unsure what exactly is required for the firewall section and allowing the ports: https://learn.microsoft.com/en-us/defender-for-identity/prerequisites#ports Particularly the to column: Protocol Transport Port From To Internet ports SSL (*.atp.azure.com) TCP 443 Defender for Identity sensor Defender for Identity cloud service Internal ports DNS TCP and UDP 53 Defender for Identity sensor DNS Servers Netlogon (SMB, CIFS, SAM-R) TCP/UDP 445 Defender for Identity sensor All devices on network RADIUS UDP 1813 RADIUS Defender for Identity sensor Localhost ports* Required for Sensor Service updater SSL (localhost) TCP 444 Sensor Service Sensor Updater Service NNR ports** NTLM over RPC TCP Port 135 Defender for Identity sensor All devices on network NetBIOS UDP 137 Defender for Identity sensor All devices on network RDP TCP 3389, only the first packet of Client hello Defender for Identity sensor All devices on network Any ideas? Thanks
Solved
Gary Smith
Jul 11, 2023 Place Microsoft Defender for Identity
3.6KViews
0likes
2Comments
Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
JG-Burke
Jun 22, 2023 Place Microsoft Defender for Identity
3.5KViews
0likes
3Comments
DFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled? This doc - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#get-schema-information-in-the-security-center - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.
SpeedRacer
Mar 28, 2023 Place Microsoft Defender for Identity
3.2KViews
0likes
3Comments
ATP Sensor service is continuously trying to start but stops itself
Hello Techies, I've installed ATP Sensor across multiple DCs and it was completed successfully. However, the service is continuously trying to start and stop itself on every machine it's been installed on, with the following error message appearing in the Microsoft.Tri.Sensor-Errors log: Error ExceptionHandler Microsoft.Tri.Infrastructure.ExtendedException: RestrictCpuAsync failed, exiting ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace --- at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task Microsoft.Tri.Common.CommunicationWebClient.SendAsync(IVoidRequest request) at async Task Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync(IVoidRequest request) at async Task Microsoft.Tri.Sensor.SensorResourceManager.RestrictCpuAsync() --- End of inner exception stack trace --- Has anyone came across this issue? Really appreciate any pointers here. Thank you!
Solved
manojviduranga
Feb 28, 2023 Place Microsoft Defender for Identity
3.1KViews
0likes
6Comments
Missing features in Security portal
With the Azure ATP portal we where able to do a lot more of investigation for on premises actions. We are in a large hybrid environment. Is there a way to access the old portal to get back that timeline for a user? The things we are missing out on currently that we found are the following: Password resets, where able to see that easy at the users timeline. Users being added to or removed from groups and who did it Failed logins to on premises resources You can no longer search for groups Can't export the same data as in the ATP portal. Some of us used this daily and are having trouble to figure out how to get the correct information now. I'm aware that we can see some of those things in the users audit logs for example but would be nice to be able to see it in the timeline as before.
Solved
denkajohansson
Feb 27, 2023 Place Microsoft Defender for Identity
3.1KViews
2likes
3Comments
MS Defender for Identity to SIEM
I know that I can forward our MS Defender for Identity logs to a https://docs.microsoft.com/en-us/defender-for-identity/setting-syslog#:~:text=Microsoft%20Defender%20for%20Identity%20can,server%20through%20a%20nominated%20sensor. for our SIEM to ingest/monitor. Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM? I also found that currently there is no public API for DFI unfortunately.
Solved
witness777
May 04, 2022 Place Microsoft Defender for Identity
3KViews
0likes
4Comments