Defender for Identity Certificate Requirements
One of the required certificates for the MDI sensor to run is this certificate: Subject : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Issuer : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Thumbprint : D4DE20D05E66FC53FE1A50882C78DB2852CAE474 FriendlyName : DigiCert Baltimore Root NotBefore : 5/12/2000 11:46:00 AM NotAfter : 5/12/2025 4:59:00 PM Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid} It expires in a little over 2 weeks. I still see it listed as required here: https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues Does anyone know if that requirement will be going away and/or will the certificate be updated before this one expires? I haven't been able to find anything related to its replacement through my various searches so I apologize if this has been covered already. Thanks.
Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script
Hi All, Referring to the following step of the Directory services account permission assignment, after obtaining the ownership permissions of the 'Deleted objects' container ACL, it just left as is? How do we revoke this properly? # Take ownership on the deleted objects container: $params = @("$deletedObjectsDN", '/takeOwnership') C:\Windows\System32\dsacls.exe $params Ref - Directory Service account recommendations - Microsoft Defender for Identity | Microsoft LearnQuestion on configuring SAM-R to enable lateral movement path detection
Hey Defender Peeps, Referring to this KB from MS -Configure SAM-R to enable lateral movement path detection - Microsoft Defender for Identity | Microsoft Learn Seeking some advice on "configuring SAM-R to enable lateral movement path detection in Microsoft Defender for Identity". Customer don't currently have the "Network access - Restrict clients allowed to make remote calls to SAM" policy defined within their environment, and unsure of the implication of doing so – assume by enabling the policy across their domain (excluding Domain Controllers) and adding the Directory Service account with Remote Access, any other accounts currently making remote calls to SAM will start failing?. The MS documentation around the policy setting itself mentions the ability to configure audit-only mode for the change, but applying that across the PROD environment means we'd be needing to look for 8 different event IDs across every server/workstation in every domain in order to figure out what other accounts are making remote calls to SAM and what (i.e. it will take a significant amount of time). Can someone advise what Best Practice would be followed for enabling the policy/what accounts should be added in addition to the Directory Service account? Any thoughts/advises are highly appreciated Thank you !!Defender for Identity Sensor Sizing for ADFS
Howdy Folks! Is there any way of sizing the AD FS servers for sensor installation? I'm guessing the Sizing tool we have is just for the Domain Controllers, not for AD FS servers. Should I stick to general recommendations (minimum of 2 cores and 6 GB of RAM) ? or is there any specifics for AD FS ? I've tried to dig in through documentation but nothing specified by Microsoft on this regard. Appreciate your advise! Thank you!
HP ProLiant DL120 Gen9 - installation Windows Server 2022
Hello everyone! Im sure the answer is yes, but I want to be safe about the answer. We have a HP ProLiant DL120 Gen9 with a Intel Xeon CPU E5-2620 v4 and 32GB RAM. I'm 99,9% sure that I can install there without problems and use Windows Server 2022. I can't think of anything why server 2022 should not run on this machine, but as I said, I want to be 100% sure. Now - Can I install and use without doubts? 😄 Thank you for answers! Kind regards, Goodfred
Defender for Identity sensor high severity alert
MDI sensor is generating a high severity alert stating " A health issue occurred Sensor received more windows events than they can process resulting in some events not being analyzed While I checked MS docs for the possible cause I got this: "Verify that only required events are forwarded to the Defender for Identity sensor or try to forward some of the events to another Defender for Identity sensor" But I am not able find a way to verify this. If anyone has faced similar issue I wanted to know the possible solutions for the same. Thanks in advanceAzure function require private git package
At the moment we are deploying our python application to a server-less azure function app. For this we use the kudu config-zip deployment. az functionapp deployment source config-zip -g "xxxx" -n "xxxx" --src "xxxx.zip" --build-remote We also want a remote build, because this will install the correct version of the packages. Because some packages have different versions voor different python versions (e.g. 3.8 vs 3.10) and different environment (windows vs linux). The remote build will make sure the correct packages are installed, cause the build (azure's default oryx) will run in the same environment. Recently we moved some of our code to another package. This package is shared by multiple other applications. To install it, we add it to our requirements.txt: git+ssh://Email address removed/xxxxx/xxxxx.git@f4e2bf2e3dxxxxxxxxx This works perfect on our local machines. But not once we deploy to azure. Unfortunately there are no logs. Well the logs shows "oryx build...." and that's it. There is no way to access the build logs. Anyway, we know the cause of the issue: the build doesn't have access to the repository. We do have a ssh key, which can be used to access the git repo. But we have no clue how to pass it to the orxy builder. We tried to make a work around with the "PRE_BUILD_COMMAND" environment variable, but since there are no logs, we cannot determine what is failing during the build. So we cannot install private python packages with azure serverless functions. We see two ways to solve this issue, but for neither we have a clue how to do it: Make the orxy builder use the ssh key Do a local build and push it to the azure function Did some tried this before or can give someone some pointers how to get started on this?
