Microsoft Defender for Identity sensor health alerts
Note
The experience described in this page can be accessed at https://security.microsoft.com as part of Microsoft 365 Defender.
Health issues page
The Microsoft Defender for Identity Health issues page lets you know when there's a problem with your Defender for Identity instance, by raising a health alert. To access the page, follow these steps:
In Microsoft 365 Defender, go to Settings and then Identities.
Under General, select Health issues.
The Health issues page is displayed, where you can see Open, Closed, and Suppressed health issues.
Select any issue for more details, and the option to close or suppress the issue.
Note
Sensor related health alerts can also be found in the Sensor settings page.
Health alerts
This section describes all the health alerts for each component, listing the cause and the steps needed to resolve the problem.
Sensor specific health alerts are displayed in the Sensors settings page and domain related or aggregated health alerts are displayed in the Health issues page as detailed in the tables below.
A domain controller is unreachable by a sensor
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor has limited functionality due to connectivity issues to the configured domain controller. | This impacts Defender for Identity's ability to detect suspicious activities related to domain controllers monitored by this Defender for Identity sensor. | Make sure the domain controllers are up and running and that this Defender for Identity sensor can open LDAP connections to them. In addition, in Settings make sure to configure a Directory Service account for every deployed forest. | Medium | Sensors settings page |
All/Some of the capture network adapters on a sensor are not available
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| All/Some of the selected capture network adapters on the Defender for Identity sensor are disabled or disconnected. | Network traffic for some/all of the domain controllers is no longer captured by the Defender for Identity sensor. This impacts the ability to detect suspicious activities, related to those domain controllers. | Make sure these selected capture network adapters on the Defender for Identity sensor are enabled and connected. | Medium | Sensors settings page |
Directory services user credentials are incorrect
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The credentials for the directory services user account are incorrect. | This impacts sensors' ability to detect activities using LDAP queries against domain controllers. | - For a standard AD accounts: Verify that the username, password, and domain in the Directory services configuration page are correct. - For group Managed Service Accounts: Verify that the username and domain in the Directory Services configuration page are correct. Also check all the other gMSA account prerequisites described on the Directory Service account recommendations page. |
Medium | Health issues page |
Low success rate of active name resolution
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The listed Defender for Identity sensors are failing to resolve IP addresses to device names more than 90% of the time using the following methods: - NTLM over RPC - NetBIOS - Reverse DNS |
This impacts Defender for Identity's detections capabilities and might increase the number of false positive alarms. | - For NTLM over RPC: Check that port 135 is open for inbound communication from Defender for Identity sensors on all computers in the environment. - For reverse DNS: Check that the sensors can reach the DNS server and that Reverse Lookup Zones are enabled. - For NetBIOS: Check that port 137 is open for inbound communication from Defender for Identity sensors on all computers in the environment. Additionally, make sure that the network configuration (such as firewalls) isn't preventing communication to the relevant ports. |
Low | Sensors settings page and health issues page |
No traffic received from domain controller
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| No traffic was received from the domain controller via this Defender for Identity sensor. | This might indicate that port mirroring from the domain controllers to the Defender for Identity sensor isn't configured yet or not working. | Verify that port mirroring is configured properly on your network devices. On the Defender for Identity sensor capture NIC, disable these features in Advanced Settings: Receive Segment Coalescing (IPv4) Receive Segment Coalescing (IPv6) |
Medium | Sensors settings page and health issues page |
Read-only user password to expire shortly
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The read-only user password, used to perform resolution of entities against Active Directory, is about to expire in less than 30 days. | If the password for this user expires, all the Defender for Identity sensors stop running and no new data is collected. | Change the domain connectivity password and then update the Directory Service account password. | Medium | Health issues page |
Read-only user password expired
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The read-only user password, used to get directory data, expired. | All the Defender for Identity sensors stop running (or will stop running soon) and no new data is collected. | Change the domain connectivity password and then update the Directory Service account password. | High | Health issues page |
Sensor outdated
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| A Defender for Identity sensor is outdated. | A Defender for Identity sensor is running a version that can't communicate with the Defender for Identity cloud infrastructure. | Manually update the sensor and check to see why the sensor isn't automatically updating. If this doesn't work, download the latest sensor installation package and uninstall and reinstall the sensor. For more information, see Download the Microsoft Defender for Identity sensor and Install the Microsoft Defender for Identity sensor. | Medium | Sensors settings page and health issues page |
Sensor reached a memory resource limit
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor stopped itself and restarts automatically to protect the domain controller from a low memory condition. | The Defender for Identity sensor enforces memory limitations upon itself to prevent the domain controller from experiencing resource limitations. This happens when memory usage on the domain controller is high. Data from this domain controller is only partly monitored. | Increase the amount of memory (RAM) on the domain controller or add more domain controllers in this site to better distribute the load of this domain controller. | Medium | Sensors settings page |
Sensor service failed to start
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor service failed to start for at least 30 minutes. | This can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor. | Monitor Defender for Identity sensor logs to understand the root cause for Defender for Identity sensor service failure. | High | Sensors settings page |
Sensor stopped communicating
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| There has been no communication from the Defender for Identity sensor. The default time span for this alert is 5 minutes. | Network traffic is no longer captured by the network adapter on the Defender for Identity sensor. This impacts Defender for Identity's ability to detect suspicious activities, since network traffic won't be able to reach the Defender for Identity cloud service. | Check that the port used for the communication between the Defender for Identity sensor and Defender for Identity cloud service is not blocked by any routers or firewalls. | Medium | Sensors settings page |
Some Windows events are not being analyzed
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor is receiving more events than it can process. | Some Windows events aren't being analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor. | Consider adding additional processors and memory as required. If this is a standalone Defender for Identity sensor, verify that only the required events are forwarded to the Defender for Identity sensor or try to forward some of the events to another Defender for Identity sensor. | Medium | Sensors settings page and health issues page |
Some network traffic could not be analyzed
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor is receiving more network traffic than it can process. | Some network traffic couldn't be analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor. | Consider adding additional processors and memory as required. If this is a standalone Defender for Identity sensor, reduce the number of domain controllers being monitored. This can also happen if you're using domain controllers on VMware virtual machines. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine (in the Windows OS, not in the VMware settings): - Large Send Offload V2 (IPv4) - IPv4 TSO Offload The names may vary depending on your VMware version. For more information, see your VMware documentation. |
Medium | Sensors settings page and health issues page |
Some ETW events are not being analyzed
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor is receiving more Event Tracing for Windows (ETW) events than it can process. | Some Event Tracing for Windows (ETW) events aren't being analyzed, which can impact the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor. | Consider adding additional processors and memory as required. | Medium | Sensors settings page and health issues page |
Sensor with Windows Server 2008 R2: Will be unsupported soon
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor is running on Windows 2008 R2, which will be unsupported soon. | Starting June 15, 2022, Microsoft will no longer support the Defender for Identity sensor on devices running Windows Server 2008 R2. More details can be fount at: https://aka.ms/mdi/2008r2 | Upgrade the Operating System on this Domain Controller to at least Windows Server 2012. | Medium (Starting June 1, 2022 the severity of this health alert will be High) | Sensors settings page |
Sensor with Windows Server 2008 R2: Unsupported
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor is running on Windows 2008 R2, which is unsupported. | Starting June 15, 2022, Microsoft will no longer support the Defender for Identity sensor on devices running Windows Server 2008 R2. More details can be found at: https://aka.ms/mdi/2008r2 | Upgrade the Operating System on this Domain Controller to at least Windows Server 2012. | High | Sensors settings page |
Sensor has issues with packet capturing component
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| The Defender for Identity sensor is using WinPcap drivers instead of Npcap drivers. | We recommend all customers use the Npcap driver instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package will install Npcap 1.0 OEM instead of the WinPcap 4.1.3 drivers. | Install Npcap according to the guidance as described in: https://aka.ms/mdi/npcap | Low | Sensors settings page |
| The Defender for Identity sensor is running an Npcap version older than the minimum required version. | We recommend all customers use the Npcap driver instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package will install Npcap 1.0 OEM instead of the WinPcap 4.1.3 drivers. | Upgrade Npcap according to the guidance as described in: https://aka.ms/mdi/npcap | Medium | Sensors settings page |
| The Defender for Identity sensor is running an Npcap component that is not configured as required. | We recommend all customers use the Npcap driver instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package will install Npcap 1.0 OEM instead of the WinPcap 4.1.3 drivers. | Install Npcap according to the guidance as described in: https://aka.ms/mdi/npcap | High | Sensors settings page |
NTLM Auditing is not enabled
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| NTLM Auditing is not enabled. | NTLM Auditing (for event ID 8004) is not enabled on the server. | Enable NTLM Auditing events according to the guidance as described at the Event ID 8004 section, in the Configure Windows Event collection page. | Medium | Sensors settings page |
Directory Services Advanced Auditing is not enabled as required
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| Directory Services Advanced Auditing is not enabled as required. | The Directory Services Advanced Auditing configuration does not include all the categories and subcategories as required. | Enable the Directory Services Advanced Auditing events according to the guidance as described in the Configure Audit Policies section, in the Configure Windows Event collection page. | Medium | Health issues page |
Directory Services Object Auditing is not enabled as required
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| Directory Services Object Auditing is not enabled as required. | The Directory Services Object Auditing configuration does not include all the object types and permissions as required. | Enable the Directory Services Object Auditing events according to the guidance as described in the Configure Audit Policies section, in the Configure Windows Event collection page. | Medium | Health issues page |
Power mode is not configured for optimal processor performance
| Alert | Description | Resolution | Severity | Displayed in |
|---|---|---|---|---|
| Power mode is not configured for optimal processor performance. | The operating system's power mode is not configured to the optimal processor performance settings. This can impact the server's performance and the sensors' ability to detect suspicious activities. | Configure the power option of the machine running the Defender for Identity sensor to High Performance (or set both the minimum and maximum processor state to 100) as described in the Server specifications section, in the Defender for Identity prerequisites page. | Low | Sensors settings page |
See also
Feedback
Submit and view feedback for