When testing Symantec Endpoint Threat Defense for Active Directory (TDAD) with integration to a Symantec Endpoint Protection Manager (SEPM) using a Credential Theft using Overpass-The-Hash method no alert is generated in the SEPM for the action.
The test client is not recognized as managed by the associated SEPM.
For generating this alert it is mandatory to have the name of the SEPM Management server which is connected to the client be the same as the Machine hostname, which should also be reflected on the SEPM server certificate that is used to Register the SEPM with TDAD Core Console.
If the client is connected to a SEPM which has a different Management server name than the Machine hostname, then that SEPM needs to be reconfigured to change its Management server name to match the hostname by following the below steps:
Start the SEPM's Management Server Configuration Wizard
Change the Management server name so that it is the same as the SEPM machine's hostname
Ensure the client is connected to the same SEPM
Generate a Credential Theft using Overpass-The-Hash alert on the client
Subscribing will provide email updates when this Article is updated. Login is required.