This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
‎2022-07-25 02:39 AM

Identity Controller and Microsoft Defender for Identity in parallel?

Hello Checkmates, 

just a question which came to my mind.
i heard a costumer had issues running IDC & Microsoft Defender for Identity in parallel on the same domain controllers.
the IDC has no longer received any events from the Domain Controllers and stopped working.


i have seen similar symptoms when people try to forward the security events to other SIEM solutions, and the IDC got cut off from the events, or when people harden the AD and make it perhaps to hard for the IDC to collect the proper event ID´s

so question to the audience, what would you do when you are running is such situations?

+ forward the logs to a dedicated server and collect the event ID´s from this machine?
(causing perhaps some latency)

+ better move to IA Agents anyhow
(the IT staff will be happy to support just another agent on all clients)


Important to know,
Microsoft Defender for Identity starts with this Event ID´s
https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection

Relevant Windows Events

For Active Directory Federation Services (AD FS) events

  • 1202 - The Federation Service validated a new credential
  • 1203 - The Federation Service failed to validate a new credential
  • 4624 - An account was successfully logged on
  • 4625 - An account failed to log on

For other events

  • 1644 - LDAP search
  • 4662 - An operation was performed on an object
  • 4726 - User Account Deleted
  • 4728 - Member Added to Global Security Group
  • 4729 - Member Removed from Global Security Group
  • 4730 - Global Security Group Deleted
  • 4732 - Member Added to Local Security Group
  • 4733 - Member Removed from Local Security Group
  • 4741 - Computer Account Added
  • 4743 - Computer Account Deleted
  • 4753 - Global Distribution Group Deleted
  • 4756 - Member Added to Universal Security Group
  • 4757 - Member Removed from Universal Security Group
  • 4758 - Universal Security Group Deleted
  • 4763 - Universal Distribution Group Deleted
  • 4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
  • 7045 - New Service Installed
  • 8004 - NTLM Authentication

but the IDC uses only:

Windows 2003 servers: 672, 673, 674
Windows 2008 servers: 4624, 4768, 4769, 4770
Windows 2012 servers: 4624, 4768, 4769, 4770

 

i see no overlapp in here?

best regards
Thomas

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2022-07-25 03:47 AM

Looks like both are using 4624, at least according to the list you provided.
I think you listed the two possible solutions to this issue, unless @Royi_Priov can suggest something else.

0 Kudos
Thomas_Eichelbu
Advisor
‎2022-07-25 03:50 AM
In response to PhoneBoy

yes right .... 4624 overlaps ... i should wear glasses ... 

thank you, i didnt see that...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events