Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

microsoft 365 defender

41 Topics

Veeam Backup and Replication v11 warning / User changes
Hi everyone, i recently migrated from ATA to MDI and have 2 questions. In ATA we could see what a helpdesk worker did to a user account (added to group, changed end date etc). In MDI it seems like we do not get this information. I have set all the Eventlog and audit rights to the DCs and Domain. Also i get the warning about Veeam B&R with Remote Code execution. How can i built a "least privilege" exclusion on this warning? A user attempted to execute VeeamVssSupport (C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe) on 2 domain controllers via SvcCtl. The remote execution succeeded. I do not want to exclude the whole backupservers for this warning or even the domain controllers as "destination". Is there also a possiblity to exclude a file? Best regards Stephan
Solved
StephanGee
Mar 03, 2023 Place Microsoft Defender for Identity
5.2KViews
0likes
8Comments
Remediating - Stop Weak Cipher Usage
Description Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade. Under Exposed Identities it shows Protocol Kerberos and Cipher Rc4HMac. Attempted resolution: In AD - set "This account supports Kerberos AES 256 bit encryption". (and turned on 128 bit) It has been several days and the vulnerability is not clearing for any accounts. I also applied a GPO to all workstations: Policy Setting Network security: Configure encryption types allowed for Kerberos Enabled DES_CBC_CRC Disabled DES_CBC_MD5 Disabled RC4_HMAC_MD5 Disabled AES128_HMAC_SHA1 Enabled AES256_HMAC_SHA1 Enabled Future encryption types Enabled Any other suggestions?
JG-Burke
Oct 13, 2022 Place Microsoft Defender for Identity
4.8KViews
0likes
2Comments
Missing alerts from MDI, suspicious additions to sensitive groups
Hi there! Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups. What I can say is that we don't have any exclusions on that rule in MDI but still we had new members in one group without any alert. Can see the additions in the legacy portal (portal.atp.azure.com) but not classified as suspicious for some reason, meanwhile another addition to the same group raised an alert the day after. What can be the issue and how can make it so that it does not happen again?
Solved
denkajohansson
Apr 20, 2023 Place Microsoft Defender for Identity
3.9KViews
0likes
10Comments
Password recommendations
Hello DFI community ! I'm reviewing some Identity-related recommendations about accounts and passwords. Let's focus on the following: Remove the attribute 'password never expires' from accounts in your domain Manage accounts with passwords more than 180 days old Do not expire passwords Achieving these 3 recommendations at the same time in hybrid environment for all types of accounts (user account, service account) seems a bit challenging and counterintuitive. If we disable password rotation policies in AD DS and set passwords to not expire in the 365 org's settings, user accounts will show up in the recommendations #1 and #2 after a while...If we don't, then the #3 recommendation pops-up. How can we combine features such as Azure Identity Protection/Conditionnal Access, Password Protection, Managed Identities, s/gMSA accounts to make all this work ? I'm a bit confused...What am i missing ? Any help would be much appreciated.
Chris_BYSA
Aug 21, 2023 Place Microsoft Defender for Identity
3.5KViews
0likes
2Comments
Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
JG-Burke
Jun 22, 2023 Place Microsoft Defender for Identity
3.3KViews
0likes
3Comments
DFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled? This doc - Understand the advanced hunting schema - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.
SpeedRacer
Mar 28, 2023 Place Microsoft Defender for Identity
3KViews
0likes
3Comments
Defender pre-reqs - ports.
Hi We are running through the pre-reqs and unsure what exactly is required for the firewall section and allowing the ports: https://learn.microsoft.com/en-us/defender-for-identity/prerequisites#ports Particularly the to column: Protocol Transport Port From To Internet ports SSL (*.atp.azure.com) TCP 443 Defender for Identity sensor Defender for Identity cloud service Internal ports DNS TCP and UDP 53 Defender for Identity sensor DNS Servers Netlogon (SMB, CIFS, SAM-R) TCP/UDP 445 Defender for Identity sensor All devices on network RADIUS UDP 1813 RADIUS Defender for Identity sensor Localhost ports* Required for Sensor Service updater SSL (localhost) TCP 444 Sensor Service Sensor Updater Service NNR ports** NTLM over RPC TCP Port 135 Defender for Identity sensor All devices on network NetBIOS UDP 137 Defender for Identity sensor All devices on network RDP TCP 3389, only the first packet of Client hello Defender for Identity sensor All devices on network Any ideas? Thanks
Solved
Gary Smith
Jul 11, 2023 Place Microsoft Defender for Identity
3KViews
0likes
2Comments
Missing features in Security portal
With the Azure ATP portal we where able to do a lot more of investigation for on premises actions. We are in a large hybrid environment. Is there a way to access the old portal to get back that timeline for a user? The things we are missing out on currently that we found are the following: Password resets, where able to see that easy at the users timeline. Users being added to or removed from groups and who did it Failed logins to on premises resources You can no longer search for groups Can't export the same data as in the ATP portal. Some of us used this daily and are having trouble to figure out how to get the correct information now. I'm aware that we can see some of those things in the users audit logs for example but would be nice to be able to see it in the timeline as before.
Solved
denkajohansson
Feb 27, 2023 Place Microsoft Defender for Identity
3KViews
2likes
3Comments
MS Defender for Identity to SIEM
I know that I can forward our MS Defender for Identity logs to a syslog server for our SIEM to ingest/monitor. Is there any other way aside from this method to get logs from MS Defender for Identity to SIEM? I also found that currently there is no public API for DFI unfortunately.
Solved
witness777
May 04, 2022 Place Microsoft Defender for Identity
2.9KViews
0likes
4Comments
ATP Sensor failed upgrade to 2.198.16173.18440 on Win2012
Hi all, I have a customer running multiple AD Domain Controllers on windows server 2012, 2016 and 2019. ATP sensor version 2.197.16100.44617 was working fine, but a few days ago it started automatic upgrade to 2.198.16173.18440, the new sensor service "Azure Advanced Threat Protection Sensor" cannot start. Application event log also shows a variety of error messages from soure 'Perflib'. This is new, as the 2012 domain controllers were working fine and had no errors in Application log prior to ATP Sensor upgrade. Has anybody experienced the same issue? PS1: the new ATP sensor version on windows 2016 and 2019 domain controllers works fine. PS2: windows 2012 servers running january and february patches. -Ruslan
Solved
RNalivaika
Feb 28, 2023 Place Microsoft Defender for Identity
2.9KViews
0likes
10Comments