User Profile
PeterJoInobits
Brass Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Detecting service account provisioning
Hi all I'm doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I'm trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve 1.) Raise an alert when a domain account is granted the "Logon as a Service" right on any machine. 2.) When an account that has never logged on as service suddenly does so. 3.) Perhaps detect when a user account's ServicePrincipalName attribute is populayed or updated. So the service account logon query looks like this: DeviceLogonEvents | where Timestamp >= ago(30d) | where LogonType == "Service" or LogonType == "Batch" | where AccountDomain =~ "saica" | summarize count() by AccountName, DeviceName, LogonType | sort by count_ desc The other ones seem to be a bit trickier. Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs.Re: Cross Tenant Sync - not successfull - Provisioning fail - SkipReason "AlreadySoftDeleteEntry"
Does she perhaps exist in the Target Tenant as a Guest User in the target tenant? Maybe she was guest invited anfd then that account was converted into a member in the target tenant? Are you able to verify that the object769Views0likes0CommentsRe: Migrating from AD hybrid to new AD because of company adquisition.
So the parent entity doesn't have any AD or Azure AD insfrastructure or presence. This is simply rebranding with new email adresses? HidMov pretty much has it right. You can add the new parent.com has a allowed upn suffix in AD, verify it in Azure Ad starting changing users primary email address and UPN's. I would do some reading on the impact of doing this to SharepointOnline and Ondrive especially when users have shared content out their OneDrive and someone else is hitting that share, If I recall correctly OneDrive URLs get changed and so does Sharepoint2.5KViews0likes0CommentsDefender for Endpoint on Domain Controllers and restricting control
Hi Community I've got a customer who's busy deploying Windows Defender and has purchased several thousand Defender for Endpoint on Server licenses. The AD team has raised some concerns on what control the Defender for Endpoint Administrators will have over Domain Controllers once the DC's have been onboarded. This customer is being rolling out a hardened AD environment including the tiered model and bastion forests etc. The AD team is responsible for patching the DCs via WSUS. The DCs already have MDI installed on them and Defender AV So basically what they are asking for is the following: 1.) Best practices for configuration of Defender for Endpoint on domain controllers 2.) An RBAC model, probably based on tags, that blocks. or at least limits what the ATP Administrators can do on the DCs 3.) Any potential security risks to the DC's by going down this route? The documentation for MDE states that any one with Defender for Global Administrator privileges has full control over all devices irrespective of their device group affilications and Azure AD Group role assignments. Does this also apply to the Domain Controllers? I'm assuming that best practice advises that anyone with MDE Global Admin privileges should be leveraging PIM via MFA to access that role. Any guidance would be appreciated.10KViews0likes1CommentTrying to resolve foreignsecurityprincipal information
Hi all I'm trying to help a customer unpack some very large groups ie membercount>5000 and some of the members are groups and some are users and to add to the complexity some of the members are foreign security principals from other domains and forests. I've come up with some thing that works but not completely and is very messy. Is there a way in Powershell, using the AD Module cmdlets, to retrieve the information of a greignsecurityprincipal assuming the trust the domain in question still exists. I've cobbled together something that but I was wondering if there is a more elegant approach. I came across some information about the Translate method but I've not been able to figure that one out yet.. I find the syntax a bit arcane to be honest.. Any help would be appreciated5.1KViews0likes1CommentMissing information in Event ID 4688
Hi All I have a situation at a customer where they have the Splunk agent installed on a Server 2016 Domain controller. They have enabled some advanced auditing and when retrieving Event ID 4688 which is the event that records process creation the event details are being truncated. The process name, creater path and command line are missing. It appears that the Splunk agent is using a deprecated API. Has anyone seen this issue and knows of a resolution/fix..NPS extension for Azure MFA and MFA prompts
HI team My situation is as follows: I'm setting up MFA on a Palo Alto Global Protect VPN device and I'm attempting to use RADIUS and the NPS extension for Azure MFA. I appear to have got this all working 100%, except for some timing issues and the client package not being 100% correctly configured. My customer's complaint is that they are required to enter the password and do the Azure MFA every time they connect to the VPN and they find this inconvenient. Is there any configuration or setup option I can do that would only require the MFA approval every 24 hours say? I know this is a long way from best security practice but it's a jarring experience for the customer's users because the current VPN connection method is just a credential login to the Palo Alto device. I'm also aware that the best practice on this would actually be to configure the PA device to use SAML for authentication but that is outside of the design presented to the customer π Anyone got any ideas or suggestions. I suspect it's some in depth radius stuff but I'm not sure...2.7KViews0likes3CommentsClarification on WIndows Hello for Business Hybrid Trust requirements
Hi Gurus Can someone assist with verifying the exact requirements for a Windows Hello for Business setup using the Hybrid Key trust model when all devices are Azure AD hybrid joined i.e. are joined to an AD DS domain that is being synced to Azure AD via AADConnect. I've been reading docs for hours and I'm confused. If all my devices are Azure AD Hybrid joined and I have 2019 DC's and I have assigned the right certificate template to them I don't need a publicly accessible CRL correct? That is only needed if I have a requirement for Azure AD joined machines to access AD DS resources. This option also requires AADConnect device writeback where Azure AD joined machines are written back to AD DS on premises. Do I have this right and will someone put me out of my misery ππPlease don't point me at the MS documentation on this topic as it's got to be the worst documentation I've read in years. I just need confirmation that I don't need a publicly available CRL for machines that are Azure AD hybrid joined? Any help would be greatly appreciated...619Views0likes0Comments