You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/investigate-security-alerts.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -72,6 +72,8 @@ Some alerts have extra tabs, such as details about:
72
72
73
73
For example:
74
74
75
+
:::image type="content" source="media/involved-entities.png" alt-text="Screenshot showing the Microsoft Defender for Identity alert report for Network mapping reconnaissance (DNS). The Summary tab is selected, displaying details such as title, description, start and end times, severity, status, and a link to view in browser. Other tabs include Source Computer, DNS Servers, Network Activities, and Related.":::
## How can I use Defender for Identity information in an investigation?
@@ -90,6 +92,8 @@ Includes the data Defender for Identity learned from Active Directory about the
90
92
91
93
Includes all data Defender for Identity profiled on the entity. Defender for Identity uses the network and event activities captured to learn about the environment's users and computers. Defender for Identity profiles relevant information per entity. This information contributes Defender for Identity's threat identification capabilities.
92
94
95
+
:::image type="content" source="media/related-entities.png" alt-text="Screenshot showing the Related Entities tab of a Microsoft Defender for Identity alert report for Network mapping reconnaissance (DNS). The table lists related entities with columns for ID, Type, Name, Unique Entity JSON, and Unique Entity Profile JSON. Two computer entities are shown, including one named DC1.":::
96
+
93
97
94
98
95
99
For more information about how to work with Defender for Identity security alerts, see [Working with security alerts](/defender-for-identity/understanding-security-alerts).
Copy file name to clipboardExpand all lines: ATPDocs/persistence-privilege-escalation-alerts.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,11 +33,11 @@ After the attacker uses techniques to keep access to different on-premises resou
33
33
Encryption downgrade is a method of weakening Kerberos by downgrading the encryption level of different protocol fields that normally have the highest level of encryption. A weakened encrypted field can be an easier target to offline brute force attempts. Various attack methods utilize weak Kerberos encryption cyphers. In this detection, Defender for Identity learns the Kerberos encryption types used by computers and users, and alerts you when a weaker cypher is used that is unusual for the source computer and/or user and matches known attack techniques.
34
34
35
35
36
-
In a Golden Ticket alert, the encryption method of the TGT field of TGS_REQ (service request) message from the source computer was detected as downgraded compared to the previously learned behavior. This isnt based on a time anomaly (as in the other Golden Ticket detection). In addition, in the case of this alert, there was no Kerberos authentication request associated with the previous service request, detected by Defender for Identity.
36
+
In a Golden Ticket alert, the encryption method of the TGT field of TGS_REQ (service request) message from the source computer was detected as downgraded compared to the previously learned behavior. This isn't based on a time anomaly (as in the other Golden Ticket detection). In addition, in the case of this alert, there was no Kerberos authentication request associated with the previous service request, detected by Defender for Identity.
37
37
38
38
**Learning period**:
39
39
40
-
This alert has a learning period of 5 days from the start of domain controller monitoring.
40
+
This alert has a learning period of five days from the start of domain controller monitoring.
41
41
42
42
**MITRE**:
43
43
@@ -218,7 +218,7 @@ None
218
218
219
219
**Description**:
220
220
221
-
Every user object in Active Directory has attributes that contain information such as first name, middle name, last name, phone number, address and more. Sometimes attackers will try to manipulate these objects for their benefit, for example by changing the phone number of an account to get access to any multifactor authentication attempt. Microsoft Defender for Identity will trigger this alert for any attribute modification against a pre-configured[honeytoken user](entity-tags.md).
221
+
Every user object in Active Directory has attributes that contain information such as first name, middle name, last name, phone number, address, and more. Sometimes attackers try to manipulate these objects for their benefit, for example by changing the phone number of an account to get access to any multifactor authentication attempt. Microsoft Defender for Identity triggers this alert for any attribute modification against a preconfigured[honeytoken user](entity-tags.md).
222
222
223
223
**Learning period**:
224
224
@@ -236,7 +236,7 @@ None
236
236
**Severity**: High
237
237
238
238
**Description**:
239
-
In Active Directory, each user is a member of one or more groups. After gaining access to an account, attackers may attempt to add or remove permissions from it to other users, by removing or adding them to security groups. Microsoft Defender for Identity triggers an alert whenever there's a change made to a preconfigured [honeytoken user account](entity-tags.md).
239
+
In Active Directory, each user is a member of one or more groups. After gaining access to an account, attackers might attempt to add or remove permissions from it to other users, by removing or adding them to security groups. Microsoft Defender for Identity triggers an alert whenever there's a change made to a preconfigured [honeytoken user account](entity-tags.md).
240
240
241
241
**Learning period**:
242
242
@@ -275,7 +275,7 @@ None
275
275
276
276
**Description**:
277
277
278
-
This attack involves the unauthorized modification of the dNSHostName attribute, potentially exploiting a known vulnerability (CVE-2022-26923). Attackers may manipulate this attribute to compromise the integrity of the Domain Name System (DNS) resolution process, leading to various security risks, including man-in-the-middle attacks or unauthorized access to network resources.
278
+
This attack involves the unauthorized modification of the dNSHostName attribute, potentially exploiting a known vulnerability (CVE-2022-26923). Attackers might manipulate this attribute to compromise the integrity of the Domain Name System (DNS) resolution process, leading to various security risks, including man-in-the-middle attacks or unauthorized access to network resources.
279
279
280
280
**Learning period**:
281
281
@@ -295,7 +295,7 @@ None
295
295
296
296
**Description**:
297
297
298
-
Attackers may target the Domain AdminSdHolder, making unauthorized modifications. This can lead to security vulnerabilities by altering the security descriptors of privileged accounts. Regular monitoring and securing of critical Active Directory objects are essential to prevent unauthorized changes.
298
+
Attackers might target the Domain AdminSdHolder, making unauthorized modifications. This can lead to security vulnerabilities by altering the security descriptors of privileged accounts. Regular monitoring and securing of critical Active Directory objects are essential to prevent unauthorized changes.
0 commit comments