just a question which came to my mind.
i heard a costumer had issues running IDC & Microsoft Defender for Identity in parallel on the same domain controllers.
the IDC has no longer received any events from the Domain Controllers and stopped working.
i have seen similar symptoms when people try to forward the security events to other SIEM solutions, and the IDC got cut off from the events, or when people harden the AD and make it perhaps to hard for the IDC to collect the proper event ID´s
so question to the audience, what would you do when you are running is such situations?
+ forward the logs to a dedicated server and collect the event ID´s from this machine?
(causing perhaps some latency)
+ better move to IA Agents anyhow
(the IT staff will be happy to support just another agent on all clients)
Important to know,
Microsoft Defender for Identity starts with this Event ID´s
Relevant Windows Events
For Active Directory Federation Services (AD FS) events
- 1202 - The Federation Service validated a new credential
- 1203 - The Federation Service failed to validate a new credential
- 4624 - An account was successfully logged on
- 4625 - An account failed to log on
For other events
- 1644 - LDAP search
- 4662 - An operation was performed on an object
- 4726 - User Account Deleted
- 4728 - Member Added to Global Security Group
- 4729 - Member Removed from Global Security Group
- 4730 - Global Security Group Deleted
- 4732 - Member Added to Local Security Group
- 4733 - Member Removed from Local Security Group
- 4741 - Computer Account Added
- 4743 - Computer Account Deleted
- 4753 - Global Distribution Group Deleted
- 4756 - Member Added to Universal Security Group
- 4757 - Member Removed from Universal Security Group
- 4758 - Universal Security Group Deleted
- 4763 - Universal Distribution Group Deleted
- 4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
- 7045 - New Service Installed
- 8004 - NTLM Authentication
but the IDC uses only:
Windows 2003 servers: 672, 673, 674
Windows 2008 servers: 4624, 4768, 4769, 4770
Windows 2012 servers: 4624, 4768, 4769, 4770
i see no overlapp in here?