Unable to access Update 3 for Microsoft Advanced Threat Analytics 1.9
Hi, Microsoft Tech Community and Ricky Simpson from Microsoft, I cannot download Update 3 for Microsoft Advanced Threat Analytics 1.9. Whenever I tried to access the download update from this article, it seemed the ID number 56725 was missing, and an error code of 404 was returned. Tried URL: https://www.microsoft.com/download/details.aspx?id=56725 Hope you can fix this problem as soon as possible, because Microsoft ATA still plays an important role in most of the enterprise network, including my company's network. Best regards for all people in the communityDirectory Service Accounts and Active Directory Certificate Services (ADCS)
Should the updated sensor to detect issues with Active Directory Certificate Services (ADCS) use a different Directory Service Account to the one used by domain controllers? The existing MDI documentation hasn't been updated with the new capability announced back in August for ADCS - Microsoft Defender for Identity expands its coverage with new AD CS sensor! - Microsoft Community Hub - It doesn't feel right to use the same account for the service running on DCs as the ADCS member servers (although appreciate both services should be considered highly sensitive. Does the MDI team have any recommendations?Announcing Microsoft Defender Vulnerability Management in public preview
Today, we are thrilled to announce the public preview of Microsoft Defender Vulnerability Management, a single solution offering the full set of Microsoft’s vulnerability management capabilities to help take your threat protection to the next level.
Password recommendations
Hello DFI community ! I'm reviewing some Identity-related recommendations about accounts and passwords. Let's focus on the following: Remove the attribute 'password never expires' from accounts in your domain Manage accounts with passwords more than 180 days old Do not expire passwords Achieving these 3 recommendations at the same time in hybrid environment for all types of accounts (user account, service account) seems a bit challenging and counterintuitive. If we disable password rotation policies in AD DS and set passwords to not expire in the 365 org's settings, user accounts will show up in the recommendations #1 and #2 after a while...If we don't, then the #3 recommendation pops-up. How can we combine features such as Azure Identity Protection/Conditionnal Access, Password Protection, Managed Identities, s/gMSA accounts to make all this work ? I'm a bit confused...What am i missing ? Any help would be much appreciated.
Permissions required for the DSA Account - Missing the revoking of the 'ownership' in the script
Hi All, Referring to the following step of the Directory services account permission assignment, after obtaining the ownership permissions of the 'Deleted objects' container ACL, it just left as is? How do we revoke this properly? # Take ownership on the deleted objects container: $params = @("$deletedObjectsDN", '/takeOwnership') C:\Windows\System32\dsacls.exe $params Ref - Directory Service account recommendations - Microsoft Defender for Identity | Microsoft LearnSensitivity Tags for Groups
According to Microsoft Defender for Identity entity tags in Microsoft 365 Defender | Microsoft Learn many groups are automatically tagged as sensitive, I don't see any indication of this in the MDI settings portal at Identities - Microsoft 365 security. Is this tagging hidden, or is something wrong in my environment?
Defender for Identity sensor high severity alert
MDI sensor is generating a high severity alert stating " A health issue occurred Sensor received more windows events than they can process resulting in some events not being analyzed While I checked MS docs for the possible cause I got this: "Verify that only required events are forwarded to the Defender for Identity sensor or try to forward some of the events to another Defender for Identity sensor" But I am not able find a way to verify this. If anyone has faced similar issue I wanted to know the possible solutions for the same. Thanks in advance
Generating alerts in test lab
Hi All, I have set myself up a Defender test lab and I have my DC connected to Defender for Identity and I have 2 user machines that are onboarded to Defender for Endpoint. I also have all the relevant integrations in place with Azure Sentinel also configured. I am looking to start generating alerts by using various tools on my machines to recreate the kind of activity that would require investigation Does anyone know of any resources/guides that can teach me how to begin to perform activities that would generate these alerts. Like Lateral Movement and LDAP reconnaissance etc?
