Which ports need to be open in order for defender for identity to make use of network name resolution NNR?
|
sensor associates the IP to the computer object.In cases where no name is retrieved, anunresolved computer profile by IPis created with the IP and therelevant detected activity. Show
PrerequisitesPrerequisitesPROTOCOLTRANSPORTPORTDEVICEDIRECTIONNTLM over RPCTCP135All devices on thenetworkInboundNNR data is crucial for detecting the following threats:Suspected identity theft (pass-the-ticket)Suspected DCSync attack (replication of directory services)Network mapping reconnaissance (DNS)To improve your ability to determine if an alert is aTrue Positive (TP)orFalse Positive (FP), Azure ATP includesthe degree of certainty of computer naming resolving into the evidence of each security alert.For example, when computer names are resolved withhigh certaintyit increases the confidence in the resultingsecurity alert as aTrue PositiveorTP.The evidence includes the time, IP and computer name the IP was resolved to. When the resolution certainty islow, use this information to investigate and verify which device was the true source of the IP at this time. Afterconfirming the device, you can then determine if the alert is aFalse PositiveorFP, similar to the followingexamples:Suspected identity theft (pass-the-ticket) – the alert was triggered for the same computer.Suspected DCSync attack (replication of directory services) – the alert was triggered from a domaincontroller.Network mapping reconnaissance (DNS) – the alert was triggered from a DNS Server. NetBIOSUDP137All devices on thenetworkInboundDNSUDP53Domain controllersOutboundPROTOCOLTRANSPORTPORTDEVICEDIRECTIONConfiguration recommendationsConfiguration recommendationsWhen port 3389 is opened on devices in the environment, the Azure ATP sensor using it for network nameresolution purposes. Opening port 3389is not a requirement, it is only an additional method that can providethe computer name if the port is already opened for other purposes.To make sure Azure ATP is working ideally and the environment is configured correctly, Azure ATP checks theresolution status of each Sensor and issues a monitoring alert per method, providing a list of the Azure ATPsensors with low success rate of active name resolution using each method.Each monitoring alert provides specific details of the method, sensors, the problematic policy as well asconfiguration recommendations.RPC over NTLM:Check that TCP Port 135 is open for inbound communication from Azure ATP Sensors, on all computersin the environment.Check all network configuration (firewalls), as this can prevent communication to the relevant ports.NetBIOS:Check that UDP Port 137 is open for inbound communication from Azure ATP Sensors, on allcomputers in the environment.Check all network configuration (firewalls), as this can prevent communication to the relevant ports.Reverse DNS: See AlsoCheck that the Sensor can reach the DNS server and that Reverse Lookup Zones are enabled.Azure ATP prerequisitesConfigure event collectionCheck out the ATP forum! Azure ATP Reports5/6/2019 • 2 minutes to read Upload your study docs or become a Course Hero member to access this document Upload your study docs or become a Course Hero member to access this document End of preview. Want to read all 278 pages? Upload your study docs or become a Course Hero member to access this document Tags Domain Controller, Domain Name System, Azure ATP, Azure Advanced Threat Protection I will cut to the chase. MDI or Microsoft Defender for Identity is a great tool for identifying Identity threats in the local AD environment. Once the sensor is setup, you can monitor for the behavior and have the ability to configure in a way so that the bad actors aren’t able to compromise your environment. In this, I will demonstrate how to install and configure the sensors to get the threat signals. Licensing RequirementTo enable this feature, you need a license for both Defender for Identity and Defender for Endpoint. Acquire a license for Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365 E5 (M365 E5/A5/G5) or Microsoft 365 E5/A5/G5 Security directly via the Microsoft 365 portal or use the Cloud Solution Partner (CSP) licensing model. Standalone Defender for Identity licenses are also available. RBAC RequirementTo setup the sensors and for further work, you should have the Global Administrator or Security Administrator permissions assigned Server RequirementPlease refer this URL for all requirements for both Domain Controller and Standalone servers https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#defender-for-identity-sensor-requirements Integrate the MDI with MDE (Microsoft Defender for Identity with Microsoft Defender for Endpoint)As you may know MDI will monitor the traffic in and out to the Domain Controllers, but for a perfect solution to activate the next steps if something is not right in the DC, you need MDE to provide with all the threat remediation goodness. So to make this happen, both MDI and MDE must talk to each other. Lets see how this can be configured. Configure the old Azure ATP portal
 Configure the Defender Security portal
With this way, now MDI will start talking with MDE and will send the threat analytics data for further action. Installing the SensorNow that the ground work is done, we can start installing the sensor. There are 2 methods of installing the MDI sensor. You can either install the sensor straight on the DC which is much more reliable OR you can install the sensor on a standalone server and let it talk to the DC to get the signals from. Few Prereqs first
Defender for Identity Network Name Resolution (NNR) requirements Below is straight from the Microsoft Document Network Name Resolution (NNR) is a main component of Defender for Identity functionality. To resolve IP addresses to computer names, Defender for Identity sensors look up the IP addresses using the following methods:
For the first three methods to work, the relevant ports must be opened inbound from the Defender for Identity sensors to devices on the network. To learn more about Defender for Identity and NNR, see Defender for Identity NNR policy. For the best results, we recommend using all of the methods. If this isn’t possible, you should use the DNS lookup method and at least one of the other methods. Steps to install the sensor
The sensor installation will look like below Go to to your Standalone Server or to the Domain Controller and install the setup which you downloaded and enter the Access Key copied earlier when it asks to enter. The service will register in the server as below. Once the sensor is installed, the server will appear in the MDI console Further, if you click on it, you will see more details about that instance Setup – Directory Services AccountsThis is required as the service installed in the local AD server must be accessed via this account. Best to have this account as an AD read-only account. A standard username must be used. These are the basic steps of how to install the MDI sensor on to the Domain Controllers to start monitoring the traffic in and out of the server. Setup – Manage Action AccountsThis will be used for actions that can be performed by the sensor such as disable user accounts, reset password so the actions can be done manually or automatically For more reading, please refer belowhttps://docs.microsoft.com/en-us/defender-for-identity/what-is In the next article on Microsoft Defender for Identity, I will drill down further in to the capabilities of the service and will showcase how you can effectively manage your Identity infrastructure. What ports does Microsoft Defender use?Ports
How do I give access to Microsoft Defender for identity?Enable Defender for Identity
In Defender for Cloud Apps, under the settings cog, select Settings. Under Threat Protection, select Microsoft Defender for Identity. Select Enable Microsoft Defender for Identity data integration and then select Save.
How does defender for identity work?Defender for Identity analyzes the behaviors among users, devices, and resources, as well as their relationship to one another, and can detect suspicious activity and known attacks quickly. Three weeks after deployment, Defender for Identity starts to detect behavioral suspicious activities.
What is Microsoft Defender for identity?Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your ...
|
