Azure ATP Sensor Setup - service not starting - missing dependency
When installing Azure ATP Sensor Setup it just stalls midway and the rolls back the installation. I've looked into the logs and can see its unable to startup the service AATPSensorUpdater. I did a dependecy check and the WMI Performance Adapter (wmiApSrv) service is missing, which is a dependecy. We got 3 domain controllers, the setup only completed on one (it also got the WMI Performance Adapter (wmiApSrv) service). My question is now, how do I get the WMI Performance Adapter (wmiApSrv) service on the other 2 domain controllers so I can complete the installation? We are running virtual servers with VMware (WS2019)
Remediating - Stop Weak Cipher Usage
Description Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade. Under Exposed Identities it shows Protocol Kerberos and Cipher Rc4HMac. Attempted resolution: In AD - set "This account supports Kerberos AES 256 bit encryption". (and turned on 128 bit) It has been several days and the vulnerability is not clearing for any accounts. I also applied a GPO to all workstations: Policy Setting Network security: Configure encryption types allowed for Kerberos Enabled DES_CBC_CRC Disabled DES_CBC_MD5 Disabled RC4_HMAC_MD5 Disabled AES128_HMAC_SHA1 Enabled AES256_HMAC_SHA1 Enabled Future encryption types Enabled Any other suggestions?
Password recommendations
Hello DFI community ! I'm reviewing some Identity-related recommendations about accounts and passwords. Let's focus on the following: Remove the attribute 'password never expires' from accounts in your domain Manage accounts with passwords more than 180 days old Do not expire passwords Achieving these 3 recommendations at the same time in hybrid environment for all types of accounts (user account, service account) seems a bit challenging and counterintuitive. If we disable password rotation policies in AD DS and set passwords to not expire in the 365 org's settings, user accounts will show up in the recommendations #1 and #2 after a while...If we don't, then the #3 recommendation pops-up. How can we combine features such as Azure Identity Protection/Conditionnal Access, Password Protection, Managed Identities, s/gMSA accounts to make all this work ? I'm a bit confused...What am i missing ? Any help would be much appreciated.Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)DFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled? This doc - Understand the advanced hunting schema - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.
How to secure the modern workplace with Microsoft 365 Advanced Threat Protection
Hi community, I was involved in big implementation to Azure ATP, Office 365 and Windows ATP in large enterprise with thousands of users and across 60+ countries across the globe. I also providing consulting to many enterprises when it comes to cloud security. I noticed that organizations and businesses do not get the big picture when it comes to all security features available in Azure and Microsoft 365, with all new updates and zero trust network approach. There are just a lot of services and it is hard to understand how to build and re-imagine a new defense in depth strategy for organizations moving to the cloud. So, I put this blog post and video, illustrating and showing how to think of security in modern workplace utilizing all security features in Azure AD, Office 365 and EMS E5. I do not want to sounds like marketing post to my blog post, but I would love to share my thoughts and engage in conversation with the community about this subject. Here is the blog post, and YouTube video I recently made. Please tell me if this makes sense, and let me know if you have further questions.
