Hey every good evening, and hope you guys are having a nice day today. Just another topic about Azure ATP here, a.k.a Microsoft Defender for Identity.
If you come across this before and then you would already know what is it for. If you are new here, then let’s just have a brief explanation what is it about. Azure ATP is basically a cloud-service that leverages your on-premises to perform identifying, detection and monitoring of your domain controller’s user objects activities and behaviors.
Newly deploy Azure ATP in your environment would take 48 hours to 72 hours for the Azure ATP to study the behaviors of each accounts, but this is also depend how large is your objects in your environment.
Anyway, a bit of side track just now. This blog post objective here is that if you ever encounter the 5 types of attacks, Reconnaissance, Compromised credentials, lateral movements, domain dominance and exfiltration alerts from the Azure ATP.
You may refer to this link here to learn how to remediate and understand how to manage the alerts.
Hey everyone, hope you guys are having a nice evening. Today’s blog post is about Azure ATP and Office 365 audit.
So the situation is like this;
Majority Office 365 tenant has more then 1 global administrators. Whenever, a global administrator would like to capture other administrators actions, they would query those events from Office 365 audit. So for Azure ATP, I notice it is not available in Office 365 audit, but for Defender Endpoint it exist in the audit. Summary, you can’t audit actions being taken in Azure ATP portal.
Scenario: If a global administrator, deletes an alerts from Azure ATP, it would remain deleted and there is no recycle bin to restore the alert back unless you regenerate the same situation to trigger the detection. This delete action is not recorded into the Office 365 audit.
I do not see this as a show stopper, I am still testing other ways to get this working. Stay tune…
Hey Hey everyone, good morning, is Saturday here in Malaysia. Hope you guys are doing well. This week blog post is about another Microsoft Defender for Identity, a.k.a Azure ATP. The terms are up to your suit and understanding.
I think is very reasonable to know what is the retention period that the Azure ATP’s Reports. Why? Because of Auditors…
Upon researching to gather articles from Microsoft site and there weren’t an article talking about how long the reports store in Azure ATP. I do know that the reports in Microsoft security max are either 30, 60 or 90 days.
Thus, I had to raised a case to Microsoft Support and they return the answer that the retention period is 180 days. I did request whether they were able to locate any article from Microsoft that state it but none.
Hi and good weekend to you. I haven’t been writing blog post for 1 week due to Chinese New Year holiday, 1 week off from doing YouTube videos and writing blog post, and spending quality time with my family. This is the first Chinese New Year celebration without visiting friends or other family members. E-angpao has become our replacement of physical AngPao. Seeing how this pandemic pushes technology forward and forcing people from all different generation to use technology, is amazing.
Anyway, this blog post I’m going to be talking about how you as administrator you can exclude certain situation from the Azure ATP detection. Azure ATP stands for Microsoft Defender for Identity. There are few situation you can exclude from Azure ATP detection such as Backup accounts and replication accounts. Take note this is only based on my experience or Microsoft recommendation but is not a MUST to exclude them.
How the alerts works in Azure ATP, is that when ever the account is behaving one of the detection it will notify an alert to the Azure ATP portal and to administrator’s email. So imagine if you have Azure AD Connect in your environment, your Azure AD Connect service account is notifying your administrator every 30 minutes, because the default replication time is every 30 minutes. Annoying right? Once you confirmed that this is the service account used only for replication, here is how you could whitelist it from the Azure ATP detection;
*This is for replication account, for others situation the exclude value may differ, these steps below is mainly to gain understanding how to exclude and where to locate the exclude.
Good afternoon everyone, and Happy Holiday to you all. Today’s blog post is another Azure ATP, or you could say Microsoft Identity Defender or MDI for short.
As you might know that gMSA is a type of service account for Windows Server 2012 and above. For some reason it failed to establish authentication between a Windows Server 2016 and Azure ATP portal for this particular environment. This environment is running single label domain on a Windows Server 2016. It was migrate from Widows Server 2008 R2 to Windows Server 2016.
To locate the logs in the server that you installed the sensor to further identify the cause and issue,
In the server where your sensor installed, if you notice the Azure ATP services keeps stopping and starting, from the services.msc, then it means there is problem with the sensor trying to establish the connection to the Azure ATP.
There wasn’t much article found to prove that gMSA limitation with single label domain, so I go ahead and proceed a testing. I created a managed service account with no special permission included, and add the credential to the Azure ATP > Directory Service. Upon monitoring, there wasn’t any alert prompt from Azure ATP, Azure ATP alert is pretty instant when detected failure on authentication.
So the resolution was to use managed service account instead of the gMSA account for this situation. The sensor start to working well with managed service account.
Hey guys hope you all are staying indoors and cautions about your health. Today’s blog post is to understand what is gMSA account, how to create them and why does it required for setting up Azure ATP (a.k.a Microsoft Identity Defender ATP).
gMSA stands for group managed service account, below reference that you can refer to understand details about it. You only need to setup a gMSA account for Windows Server version 2012 and above, it is recommended to use gMSA account for you Azure ATP deployment if your Domain controller fall on the versions 2012 and above.
Why gMSA and not usually service account (user object)? It improves the security and automatic password management. It works similar as a managed service account functionality and with extended capabilities, such as password is being managed by your Active Directory and every 30 days a new password is assigned to this service account automatically. If you have mix of legacy domain controllers and newer version of domain controllers, you would need both type of service accounts.
Azure ATP directory service connection, doesn’t required a gMSA account, to be a member of domain admin
If your server doesn’t have the root key created, then run the Add-KdsRootKey command with following parameter “-EffectiveTime“, with value immediately or scheduled.
For this Azure ATP case, all domain controllers with sensor must have managed password permission/right on the gMSA account. Make sure your account has a domain admins right to be able to perform the following setup below;
How to setup a gMSA account?
On your domain controller
Open/Launch PowerShell cmdlet
Type the following command New-ADServiceAccount -Name <ATP service account name> -DNSHostName <FQDN of 1 of your domain controller> -PrincipalsAllowedToRetrieveManagedPassword <domain controller hostname01$>,<domain controller hostname02$>
Sample of the command New-ADServiceAccount -Name AzATPSvc -DNSHostName DC01.contoso.com -PrincipalsAllowedToRetrieveManagedPassword DC01$, DC02$
Retrieve your change result command Get-ADServiceAccount -Identity AzATPSvc -Properties PrincipalsAllowedToRetrieveManagedPassword
Testing the service account command Test-ADServiceAccount -Identity AzATPSvc
If your customer is highly concerns about what sort of permission this account is assigned you may run the command below;
Hey everyone, hope you guys had a wonderful day. Starting of a new year 2021. I hope everyone stay healthy and stay safe distance from one another or avoid crowded places.
I know that this pandemic has test us in many ways, in terms of physically and mentally. If you manage to get through year 2020 challenges, then give yourself a pad on the back, you did good.
This blog post I’m going to write about what is Azure ATP, before I jump into the topic, I want to say that security is a journey. If you guys have read about the recent news about attacks rises double/triple in the year 2020 and also the news about solarwinds attack, then these are enough proof that hackers are given more chances to attack in this situation, because they know majority businesses or corporates are still vulnerable or not up to par in terms of securing their environment and providing security training to users. Users mistakes in allowing attackers are also risk to the corporate that is why users training is still important to corporates. Losing money/profit to attackers is twice painful to the corporates then purchasing and implementing security technologies/products in the environment. Let’s take ransomwares as an example for this case. Due to this pandemic, I notice quite an amount of corporates are now implementing the concept of “Zero-trust“. If you would like to know what is “Zero-trust”, do feel free to Google them up.
Anyway, alright lets start our topic. The ATP term has been quite awhile in the security industry, or if you still not too sure what is ATP, ATP stands for Advanced Threat Protection. It contains advanced intelligent technology and combination of algorithms to identify and investigate types of malicious behavior and it will select appropriate action to quarantine/block the malicious actions before doing any harm to the environment and provide deep dive detailed reports to administrators.
Azure ATP has been known quite awhile in Microsoft 365, and Microsoft had given a different naming, Microsoft Identity Defender. It’s capability is to:
Identify compromised accounts
Investigate malicious activities of accounts
Provide best practice security actions to administrators on how to handle accounts that reported by Azure ATP as suspicious or compromised
Provide detail visibility authentication of attacks
Azure ATP able to provide details of attack’s source
Reports are real-time and signals back to Microsoft Identity Defender portal
This is just a summary of the entire structure looks like implementing Azure ATP into the environment with Domain Controllers only.
Azure ATP agent is only for on-premises like Domain controllers and ADFS and the agent will send a signal back to Microsoft Identity Defender if detected malicious activities or compromised accounts. I do recommend that you read more about requirements of deploying Azure ATP, before deploying into your customer’s environment. There is a medium impact required.
Hey guys and girls, hope you are enjoying your weekends. Please do keep a safe distance while you are in public area and wearing your mask.
So while I was doing my lab testing and wanting to remove the device from managed autopilot but it was failed to do so, due to the device were managed by Intune. Below is the error, if you would try to delete the device object from Autopilot.
To resolve this issue, is to remove the device from Intune and then you could able to remove the device from Autopilot.
Hi Guys and girls, hope you all are doing well, and remember to stay safe. Just got the PowerShell check on the command “Remove-DlpCompliancePolicy“, it seems that Microsoft had made some changes to it and had removed the “-ForceDeletion” parameter from the “Remove-DlpCompliancePolicy” command.
Just to announce that if you would like to remove or delete the stuck DLP policy in Security and Compliance, you would have to raise a ticket to Microsoft and inform them to perform the force deletion at their backend. There are users experience this and it is resolved through Microsoft Support.