What's new and What's learning period in Microsoft Defender for Identity.
In this blog post, I will explain an advanced settings capability available in the Microsoft Defender for Identity, which will help the security admins in evaluating the product and tweaking the sensitivity level of the alerts. What'sLearning Periodin MDI? What are thelatest enhancementsadded to that feature? https://www.linkedin.com/pulse/whats-new-learning-period-microsoft-defender-identity-elie-karkafy
Missing remediation actions
Hi everyone, Remediation actions such asDisable/Enable user in AD, Force password resetarecurrently not available through the Defender portal (user page, advanced hunting). Anyone aware of this change? https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions#supported-actionsMDI not firing alert - "Suspicious additions to sensitive groups (external ID 2024)"
Hi everyone, i have checked our MDI installation with the Powershell - it is all green. Also the action itself is in the portal. The group is marked sensitive by default. A user gets added by another Domain Admin. This should fire an high alert? But nothin happens. Is there any setting i am missing? We started with a "german AD" so the group names are in German. But this cannot make any difference. BR Stephan
Detecting service account provisioning
Hi all I'm doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I'm trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve 1.) Raise an alert when a domain account is granted the "Logon as a Service" right on any machine. 2.) When an account that has never logged on as service suddenly does so. 3.) Perhaps detect when a user account's ServicePrincipalName attribute is populayed or updated. So the service account logon query looks like this: DeviceLogonEvents | where Timestamp >= ago(30d) | where LogonType == "Service" or LogonType == "Batch" | where AccountDomain =~ "saica" | summarize count() by AccountName, DeviceName, LogonType | sort by count_ desc The other ones seem to be a bit trickier. Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs.
Microsoft Defender for Identity standalone sensors
Hi Current scenario: we are forwarding domain control security logs to another server(windows machine) via the "WEF configuration". We have logs in forwarded events ( event viewer). In future if am installing an identity sensor on a standalone method should I configure port mirroring and Directory services accounts? is that a mandatory configuration for the stand-alone sensor?
