Archer Daniels Midland Company

Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL

Microsoft Defender for Identity (MDI) Operational

Procedure

GLOBAL INFORMATION & CYBER SECURITY

# GICS.POL014.S001.P002
Effective Date: 12-10-2024

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

1
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL

01 PURPOSE ................................................................................................................................................ 3
02 SCOPE ..................................................................................................................................................... 3
03 RACI MATRIX ....................................................................................................................................... 3
04 MICROSOFT DEFENDER FOR IDENTITY PROCESS OVERVIEW ......................................... 4
05 PROCEDURE STEPS ............................................................................................................................ 5
05.01 SENSOR DEPLOYMENT ................................................................................................................................................................ 5
05.02 HEALTH ISSUE........................................................................................................................................................................... 9
05.03 SENSOR DECOMMISSION .......................................................................................................................................................... 10
06 EXCEPTIONS....................................................................................................................................... 11
07 MONITORING ..................................................................................................................................... 11
08 COMPLIANCE ..................................................................................................................................... 11
09 RELATED DOCUMENTATION ....................................................................................................... 11
09.03 OTHER ADM DOCUMENTATION: ............................................................................................................................................. 122
10 APPENDIX A – HEALTH ISSUE RECOMMENDATION ........................................................... 123

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

2
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL

The purpose of Microsoft Defender for Identity (MDI) Operational Procedure (SOP) is to document how MDI
is deployed to Domain Controllers and how it is managed beyond deployment

This Standard is applicable to Microsoft Defender for Identity sensor deployment by the owner of Domain
Controllers and the teams that support the information retrieved by these sensors

This Procedure is supported by the following RACI Matrix:

Hosting
GICS-
GICS – GICS – Teams Service Networking
Tasks Details Data Microsoft
Engineering GCDO (See 05.02.03 Desk Team
Protection
for full list)

Defender
Portal Security
Monitoring
I R,A C I I I C
Taking action
from Security
Event(s) or
Alert(s)

Sensor
Monitoring
Health
Monitoring, C I I R,A I I C
Auditing,
Configuration
Settings
Sensor Issues
Agent updates,
Agent
configuration
communication C I I R,A I I C
issues, device
not getting
GPO (policy)
updates
Firewall Issues
Firewall rule
C I I C I R,A C
updates for
sensor
This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

3
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
Hosting
GICS-
GICS – GICS – Teams Service Networking
Tasks Details Data Microsoft
Engineering GCDO (See 05.02.03 Desk Team
Protection
for full list)
communication

Defender for
Identity Portal
Management
and
enhancements
of portal
R,A C C I I I C
options
(General,
Entity tags,
Actions and
exclusions,
Notifications)
Device
Onboarding C I I R,A I C C

•
(R) Responsible – Who is completing the task.
• (A) Accountable – Who is making decisions and taking actions on the task(s).
• (C) Consulted – Who will be communicated with regarding decisions and tasks.
• (I) Informed – Who will be updated on decisions and actions during the project.
Hosting Team

Run Sizing Tool on Remdiation of DC Enable Advanced Create GMSA for

Deploy Sensor
Domain needs Auditing GPO Domain
MDI Install Process

GICS – Engineering

Review Sizing Tool Provide Sensor

Results Add GMSA to Deployment File and
Defender Portal Access Key from
Portal
Networking

Open Firewall Ports

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

4
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
Microsoft

Sensor Health Issue Generates Email to

Created in Portal Service Now
MDI Health Issue Process

Service Now

Creates Ticket based

off Email with
Assignment group
based off Domain
Hosting Team

Refers to Health
Issue Guide for
Remediation

Step Procedure
1 Run the sizing tool for 24 hours to gather data on the amount of traffic Microsoft Defender
for Identity will need to monitor.

For more information on the sizing tool see [Link]

advanced-threat-protection/atp-capacity-planning.

2 Confirm domain controllers have a minimum of 2 cores and 6 GB of RAM installed to

support that MDI sensors. Microsoft Defender for Identity Sensor prerequisites

3 Ensure the following ports are open which Defender for Identity requires: Microsoft

4 Configure Advanced Audit Policy settings to make sure the correct Windows Event log
information is passed to MDI detections audit specific Windows Events. Configure Windows
Event collection Microsoft Defender for Identity

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

5
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
Step Procedure
5 Create Directory Service Account. (We recommend gmSA accounts – Group Managed
service Accounts) Directory Service account recommendations

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

6
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
6 Azure ATP Sensor [Link] is downloaded from the portal and sent to Domain Controller
Owner. Access Key is sent to Domain Controller Owner. Zip file is opened and executable is
ran

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

7
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

8
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
Step Procedure

Step Procedure
1 Health Alert is generated in the Microsoft Defender Portal

2 Health Alert will generate an email to the ADM Service Now <admcorp@[Link]>

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

9
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
Step Procedure
3 ADM Service Now generates and Incident ticket with the Assignment Group based on
Domain of the sensor
Host Group Domain Coverage
admworld, na, sa, eu,
[Link], [Link],
IO_COLLAB_AD
[Link], toefer,
eaststarch, GTDMZ
Research research
Global ADMIS Infrastructure admis, admisi
Internal Audit internal audit
GLOBAL Operational Technology [Link]
M&A_Legacy_TotallyNaturalSolutions [Link]
[Link],
M&A_Legacy_Barista_75H
[Link]
M&A_Legacy_Revela [Link]
M&A_Legacy_Neovia_Brazil TOTAL, [Link]
GLOBAL Operational Technology NA OT
OT_EMEA_APAC International OT
4 Host team fixes the health alert based on the Health Issue Recommendation Guide (Appendix
A)

5 Host team closes Service Now ticket

Step Procedure
1 Host team stops the Advanced Threat Protection (ATP) service (Azure ATP Sensor)

2 Host team submits a ticket to GICS_Engineering noting that a Domain Controller is being
decommissioned

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

10
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
Step Procedure
3 GICS team goes to the sensor tab of the portal. Selects the Domain Controller that needs
removed. Then deletes the sensor.

4 GICS closes Service Now ticket

Any exception(s) to this Procedure must be reported to Colleagues direct manager and approved by the
Process Owner prior to executing. Once approved, these exceptions must be clearly defined within this
procedure.

This Procedure will be updated and monitored as directed by ADM management to ensure the Policy,
Standards, and Procedures are working as intended and in compliance with all applicable regulatory and
privacy rules.
Process Owners are responsible for maintaining accurate SOP documentation and ensuring a review process
occurs on an annual basis and as updates are required.

Failure to comply with this Procedure can have severe consequences for ADM. A violation(s) of any of the
provisions of this Procedure may lead to disciplinary action, up to and including termination of employment.

This Procedure is supported by the following Policies and Standards:

Policies:
• Global Information & Cyber Security (GICS) Compliance Policy
• Global Information and Cyber Security (GICS) Policy
Standards:
This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

11
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
• Secure Monitoring, Logging and Event Standard

• Policy on GICS/GT Policy Program

• Glossary of Terms
• GT/GICS Roles & Responsibilities
• Appendix A – Health Issue Recommendation

Global Health Issues Severity

• High
o Some Windows events are not being analyzed
▪ Recommendation: Verify that the Power Settings scheme is set to High Performance
(use [Link] /list). For Hyper-V hosted sensors, ensure that Enable Dynamic
Memory is not enabled for the VM. For VMWare hosted sensors, ensure that the
amount of memory configured, and the reserved memory is the same or select the
Reserve all guest memory (All locked) in the VM settings. If the above steps do not
resolve this alert over time, you may need to increase resources (processor and
memory) on the server. See here for more details: [Link]
• Medium
o Auditing on the ADFS container is not enabled as required
▪ Recommendation: Please configure the Auditing on the ADFS container according to
the guidance as described in [Link]
o Directory Services Advanced Auditing is not enabled
▪ Recommendation: Please enable the Directory Services Advanced Auditing events
according to the guidance as described in [Link]
o Directory Services Object Auditing is not configured as required
▪ Recommendation: Please configure the Directory Services Object Auditing events
according to the guidance as described in [Link]
o Directory services user credentials are incorrect
▪ Recommendation: Verify the credentials in the [Link]
configuration page
• Low
o Low success rate of active name resolution

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

12
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
▪ Recommendation: Check that the sensor can reach the DNS server and that Reverse
Lookup Zones are enabled. Check that port 137 is open for inbound communication
from MDI sensors, on all computers in the environment. Check that port 3389 is open
for inbound communication from MDI sensors, on all computers in the environment.
Check that port 135 is open for inbound communication from MDI sensors, on all
computers in the environment. Check all network configuration (firewalls), as these
could prevent communication to the relevant ports. Learn more about
[Link]
Sensor Health Issues Severity
• High
o Some network traffic is not being analyzed
▪ Recommendation: For more information, refer to [Link]
o Sensor has issues with packet capturing component
▪ Recommendation: Please install npcap according to the guidance as described in
[Link]
o Sensor reached a memory resource limit
▪ Recommendation: Increase the amount of memory (RAM). Add additional domain
controllers to distribute the load of this server
o Sensor running on an unsupported operating system
▪ Recommendation: The operating system on the server should be upgraded to the latest
supported operating system. For more details, see: [Link]
o Some Windows events are not being analyzed
▪ Recommendation: Verify that the Power Settings scheme is set to High Performance
(use [Link] /list). For Hyper-V hosted sensors, ensure that Enable Dynamic
Memory is not enabled for the VM. For VMWare hosted sensors, ensure that the
amount of memory configured, and the reserved memory is the same or select the
Reserve all guest memory (All locked) in the VM settings. If the above steps do not
resolve this alert over time, you may need to increase resources (processor and
memory) on the server. See here for more details: [Link]
• Medium
o NTLM Auditing is not enabled
▪ Recommendation: Please enable the NTLM Auditing events according to the
guidance as described in [Link]
o Sensor stopped communicating
▪ Recommendation: Check that the Sensor service is up and running. Check the
communication between the Sensor to [Link]
o Auditing for AD CS servers is not enabled as required
▪ Recommendation: Please enable the AD CS auditing events according to the guidance
as described in [Link]
This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

13
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL
o Directory Services Advanced Auditing is not enabled
▪ Recommendation: Please enable the Directory Services Advanced Auditing events
according to the guidance as described in [Link]
• Low
o Sensor with non-optimal power settings
▪ Recommendation: Configure the power option of the machine running the Defender
for Identity sensor to High Performance (or set both the minimum and maximum
processor state to 100), as described in [Link]
o Low success rate of active name resolution
▪ Recommendation: Check that the sensor can reach the DNS server and that Reverse
Lookup Zones are enabled. Check that port 137 is open for inbound communication
from MDI sensors, on all computers in the environment. Check that port 3389 is open
for inbound communication from MDI sensors, on all computers in the environment.
Check that port 135 is open for inbound communication from MDI sensors, on all
computers in the environment. Check all network configuration (firewalls), as these
could prevent communication to the relevant ports. Learn more about
[Link]

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

14
 Archer Daniels Midland Company
Owner: Global Information and Cyber Security (GICS)

CLASSIFICATION: INTERNAL

Process Owners
Refer to the Business Process owners at:
[Link]

Reviews/Approvals
This document was reviewed and approved by the following:
Electronic signatures are accepted. By signing electronically, it is agreed the electronic signature is the equivalent of a manual
signature on this document.
Version Reviewer(s)/Approver(s) Method of Approval (Meeting, Email, etc.) Date
1.0 David Fry Email 01/19/2024
1.1 David Fry Email 12/09/2024
Scott Avart

Version Control
Version Date Edited by Summary of Revisions (s)
1.0 01/09/2024 Jeremy Conley New Document
1.0 04/08/2024 Jeremy Conley Minor revision to the Assignment Group based
on Domain of the sensor in Step 3
1.1 11/25/2024 Jeremy Conley Add hosting teams and adjustments of
Assignment Groups, update of the
decommission process and diagram, update of
Health Issue Recommendations

This document is intended solely for the information and internal use of ADM
and should not be used or relied upon by any other person or entity.

Contact GICSGovernance@[Link] to obtain permission to share this

document with any group or individual outside the company

15