Create a Post
Showing results for 
Search instead for 
Did you mean: 

Identity Controller and Microsoft Defender for Identity in parallel?

Hello Checkmates, 

just a question which came to my mind.
i heard a costumer had issues running IDC & Microsoft Defender for Identity in parallel on the same domain controllers.
the IDC has no longer received any events from the Domain Controllers and stopped working.

i have seen similar symptoms when people try to forward the security events to other SIEM solutions, and the IDC got cut off from the events, or when people harden the AD and make it perhaps to hard for the IDC to collect the proper event ID´s

so question to the audience, what would you do when you are running is such situations?

+ forward the logs to a dedicated server and collect the event ID´s from this machine?
(causing perhaps some latency)

+ better move to IA Agents anyhow
(the IT staff will be happy to support just another agent on all clients)

Important to know,
Microsoft Defender for Identity starts with this Event ID´s

Relevant Windows Events

For Active Directory Federation Services (AD FS) events

  • 1202 - The Federation Service validated a new credential
  • 1203 - The Federation Service failed to validate a new credential
  • 4624 - An account was successfully logged on
  • 4625 - An account failed to log on

For other events

  • 1644 - LDAP search
  • 4662 - An operation was performed on an object
  • 4726 - User Account Deleted
  • 4728 - Member Added to Global Security Group
  • 4729 - Member Removed from Global Security Group
  • 4730 - Global Security Group Deleted
  • 4732 - Member Added to Local Security Group
  • 4733 - Member Removed from Local Security Group
  • 4741 - Computer Account Added
  • 4743 - Computer Account Deleted
  • 4753 - Global Distribution Group Deleted
  • 4756 - Member Added to Universal Security Group
  • 4757 - Member Removed from Universal Security Group
  • 4758 - Universal Security Group Deleted
  • 4763 - Universal Distribution Group Deleted
  • 4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
  • 7045 - New Service Installed
  • 8004 - NTLM Authentication

but the IDC uses only:

Windows 2003 servers: 672, 673, 674
Windows 2008 servers: 4624, 4768, 4769, 4770
Windows 2012 servers: 4624, 4768, 4769, 4770


i see no overlapp in here?

best regards

0 Kudos
2 Replies

Looks like both are using 4624, at least according to the list you provided.
I think you listed the two possible solutions to this issue, unless @Royi_Priov can suggest something else.

0 Kudos

yes right .... 4624 overlaps ... i should wear glasses ... 

thank you, i didnt see that...

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events