Suspected identity theft (pass-the-ticket) when switching LAN/WiFI
Hi, I see this alert "Suspected identity theft (pass-the-ticket)" when a user switches from LAN to WiFi or back. The laptop's DNS record has both IP addresses. I'm guessing Defender still thinks a different device is using the same Kerberos ticket. How do you deal with that? Can you tune the alert somehow so that doesn't keep alerting? Jan 16, 2025 4:15 PM This Kerberos ticket was first observed on 1/16/25 4:15 PM on [Device Name] (Laptop IP1). Jan 16, 2025 4:57 PM - Jan 16, 2025 4:57 PM [Username] accessed [Server Name] (CIFS) from [Server IP] (Laptop IP2). Thanks for your supportMDI not firing alert - "Suspicious additions to sensitive groups (external ID 2024)"
Hi everyone, i have checked our MDI installation with the Powershell - it is all green. Also the action itself is in the portal. The group is marked sensitive by default. A user gets added by another Domain Admin. This should fire an high alert? But nothin happens. Is there any setting i am missing? We started with a "german AD" so the group names are in German. But this cannot make any difference. BR Stephan
Create an alert on "Failure message: Strong Authentication is required"
Hi, I would like to create an alert on "Failure message: Strong Authentication is required" when client IP is not from "France". My idea is to find users whose password has been stolen, but where the attacker has no knowledge of MFA/TOTP. I chose the following filter: But I dont find how to filter only "Failure message: Strong Authentication is required" and after I would like to create policy on it. Thank for you help! Regards, Lionel
microsoft windows defender 11
Buenas tardes, comunidad microsoft, acudo a este foro porque me encuentro sumamente preocupado, desde hace algunas semanas windows defender me notifica con una alerta amarilla, y me indica que debo realizar acciones para la seguridad del computador, Sin embargo he realizado las acciones correspondientes y no encuentro solucion. La ultima advertencia que me indica es la seccion " reputation based-protection" de windows defender,intento solucionar pero no consigo nada.Temo que sea un virus que se encuentre realizando acciones peligrosas. Consulto si este problema es de Microsoft o solamente es de mi notebook, muchas gracias por la ayuda.
Defender for Identity sensor high severity alert
MDI sensor is generating a high severity alert stating " A health issue occurred Sensor received more windows events than they can process resulting in some events not being analyzed While I checked MS docs for the possible cause I got this: "Verify that only required events are forwarded to the Defender for Identity sensor or try to forward some of the events to another Defender for Identity sensor" But I am not able find a way to verify this. If anyone has faced similar issue I wanted to know the possible solutions for the same. Thanks in advance
No alerts getiing displayed ( DEFENDER FOR IDENTITY )
Hi, so i've recently setup the senor on DC and the status is healthy and running and i'm also able to recieve the test syslog on my SIEM, but i'm not getting any actual alerts on my SIEM or on the Cloud apps portal under the alerts and yes i;ve enabled the cloudapp - identity integration. What could be the issue ? Or How long does it takes for the alerts to actually get displayed once the sensor is deployed ?
