(I stole this from Eric M.’s post because it was such a good reference.)
M
icrosoft’s Active Directory Monitoring solution started as Advanced Threat Analytics, migrated to the cloud as Azure Advanced Threat Protection, and then graduated into the Defender for Identity product that is deeply integrated with the other M365D products such as Defender for Endpoint, Defender for Cloud Apps, and Azure Active Directory Identity Protection.
It’s important to understand that configuring an AD service account and installing the MDI sensor msi does not complete the deployment. If you stop there, your sensor will fail to detect malicious activity that it could because key installation steps were missed.
Key things to consider when deploying MDI:
- Advanced Audit Policy that meets MDI’s auditing requirements is critical
- Disable LSO on VMware DC’s that show health alerts
Allowlist/bypass yourdomain.atp.azure.com TCP 443 traffic from SSL intercept/proxy - Make sure that communication isn’t blocked for localhost, TCP port 444
- MDI takes 30 days to baseline the environment for behavioral alerts (pictured)
- Never use the same gMSA for the monitoring & action accounts
- Make sure that SAM-R required permissions are configured for Lateral Movement Path detections
- You do not need to purchase Npcap licenses
- You can use the Azure service tag AzureAdvancedThreatProtection in NSG/Azure Firewall rules
- The monitoring gMSA account must be granted the Log on as a service permission
Resources:
- Advanced Audit Policy Events: https://lnkd.in/gFwqxJXN
- Microsoft’s Audit Policy Readiness check script: https://lnkd.in/gmRnjcwh
- Raymond R.’s Audit Policy GUI tool: https://lnkd.in/gveSKihW
- VMware fix: https://lnkd.in/gqFmd-Zy
- Npcap: https://lnkd.in/gm4pPUTg
- Provisioning gMSA’s: https://lnkd.in/gyhJDFy9
kurtsh
Kurt Shintaku's Blog 