Identity Controller and Microsoft Defender for Identity in parallel?

Thomas_Eichelbu — Mon, 25 Jul 2022 09:43:34 GMT

Hello Checkmates,

just a question which came to my mind.
i heard a costumer had issues running IDC & Microsoft Defender for Identity in parallel on the same domain controllers.
the IDC has no longer received any events from the Domain Controllers and stopped working.

i have seen similar symptoms when people try to forward the security events to other SIEM solutions, and the IDC got cut off from the events, or when people harden the AD and make it perhaps to hard for the IDC to collect the proper event ID´s

so question to the audience, what would you do when you are running is such situations?

+ forward the logs to a dedicated server and collect the event ID´s from this machine?
(causing perhaps some latency)

+ better move to IA Agents anyhow
(the IT staff will be happy to support just another agent on all clients)

Important to know,
Microsoft Defender for Identity starts with this Event ID´s
https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection

Relevant Windows Events

For Active Directory Federation Services (AD FS) events

1202 - The Federation Service validated a new credential
1203 - The Federation Service failed to validate a new credential
4624 - An account was successfully logged on
4625 - An account failed to log on

For other events

1644 - LDAP search
4662 - An operation was performed on an object
4726 - User Account Deleted
4728 - Member Added to Global Security Group
4729 - Member Removed from Global Security Group
4730 - Global Security Group Deleted
4732 - Member Added to Local Security Group
4733 - Member Removed from Local Security Group
4741 - Computer Account Added
4743 - Computer Account Deleted
4753 - Global Distribution Group Deleted
4756 - Member Added to Universal Security Group
4757 - Member Removed from Universal Security Group
4758 - Universal Security Group Deleted
4763 - Universal Distribution Group Deleted
4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
7045 - New Service Installed
8004 - NTLM Authentication

but the IDC uses only:

Windows 2003 servers: 672, 673, 674
Windows 2008 servers: 4624, 4768, 4769, 4770
Windows 2012 servers: 4624, 4768, 4769, 4770

i see no overlapp in here?

best regards
Thomas

Re: Identity Controller and Microsoft Defender for Identity in parallel?

PhoneBoy — Mon, 25 Jul 2022 10:47:23 GMT

Looks like both are using 4624, at least according to the list you provided.
I think you listed the two possible solutions to this issue, unless @Royi_Priov can suggest something else.

Re: Identity Controller and Microsoft Defender for Identity in parallel?

Thomas_Eichelbu — Mon, 25 Jul 2022 10:50:54 GMT

yes right .... 4624 overlaps ... i should wear glasses ...

thank you, i didnt see that...

topic Re: Identity Controller and Microsoft Defender for Identity in parallel? in Firewall and Security Management

Identity Controller and Microsoft Defender for Identity in parallel?

Relevant Windows Events

For Active Directory Federation Services (AD FS) events

For other events

Re: Identity Controller and Microsoft Defender for Identity in parallel?

Re: Identity Controller and Microsoft Defender for Identity in parallel?