Defender for Identity is a solution that monitor your on-premises Active Directory Domain Services signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. (What is Microsoft Defender for Identity?)
The deployment and configuration of the events involve multiple manual steps and it's easy to miss some.
Raymond Roethof (Thalpius) has developed a C# application to check if all those events are configured properly. It is an amazing solution but I wanted to run the checker as a command line and thought why not use Raymond's work and adapt it as a script using PowerShell?!
The configuration checker looks at the following events:
LDAP queries: Event ID 1644
NTLM authentication activities: Event ID 8004
Audit policies: Event IDs 4776, 4741, 4743, 4753, 4763, 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758, 4726, 4662, 5136, 7045
Object auditing: Events ID 4662
ADFS objects audit: Event IDs 1202, 1203, 4624, 6425
Exchange object audit
You can download the script from my Github repository: French365Connection/ConfigurationChecker.ps1
The execution of the script is very simple:
a single parameter is needed AdvancedAuditGroupPolicyName: the display name of the policy that contains your advanced audit settings
run as Administrator
run on a Domain Controller
Run it as follow
.\ConfigurationChecker.ps1You will be requested to enter the display name of your advanced audit policy
or that way
.\ConfigurationChecker.ps1 -AdvancedAuditGroupPolicyName "Default Domain Controllers Policy"It is the first version of the script so it doesn't support advanced scenarios such as multiple domains.
If you find an issue with the script, feel free to raise it on my repo: Issues
A massive thanks to Raymond for allowing me to use his work as a baseline - Don't hesitate to visit his blog and repo - I learn so much from his posts, his expertise is just on another level 💪.
Comments