Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
Attack simulation Payload editor - recently broken?
Hello, Just last Wednesday, Jan. 8th, I created a new custom payload and was happy with the testing of the email. I logged in today and noticed that a majority of the formatting had been removed. I found this post: https://answers.microsoft.com/en-us/msoffice/forum/all/phishing-attack-simulation-payload-editor-is/88232e12-9744-4d87-9566-3fd5d8c2ed3a Seems like he is having the same issue I am facing. Nothing is centering and many of the blocks I have created are gone (ie the External email, banner). Anyone else having these issues or has anyone found a way to "fix" it. Here is a snip of the same payload, one sent Wednesday, the other Monday: Monday, Jan. 13th: Any help would be appreciated.What's new and What's learning period in Microsoft Defender for Identity.
In this blog post, I will explain an advanced settings capability available in the Microsoft Defender for Identity, which will help the security admins in evaluating the product and tweaking the sensitivity level of the alerts. What's Learning Period in MDI? What are the latest enhancements added to that feature? https://www.linkedin.com/pulse/whats-new-learning-period-microsoft-defender-identity-elie-karkafyMissing remediation actions
Hi everyone, Remediation actions such as Disable/Enable user in AD, Force password reset are currently not available through the Defender portal (user page, advanced hunting). Anyone aware of this change? https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions#supported-actionsMDI not firing alert - "Suspicious additions to sensitive groups (external ID 2024)"
Hi everyone, i have checked our MDI installation with the Powershell - it is all green. Also the action itself is in the portal. The group is marked sensitive by default. A user gets added by another Domain Admin. This should fire an high alert? But nothin happens. Is there any setting i am missing? We started with a "german AD" so the group names are in German. But this cannot make any difference. BR Stephan
Detecting service account provisioning
Hi all I'm doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I'm trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve 1.) Raise an alert when a domain account is granted the "Logon as a Service" right on any machine. 2.) When an account that has never logged on as service suddenly does so. 3.) Perhaps detect when a user account's ServicePrincipalName attribute is populayed or updated. So the service account logon query looks like this: DeviceLogonEvents | where Timestamp >= ago(30d) | where LogonType == "Service" or LogonType == "Batch" | where AccountDomain =~ "saica" | summarize count() by AccountName, DeviceName, LogonType | sort by count_ desc The other ones seem to be a bit trickier. Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs.
