Forum Discussion

Brian_Sutton's avatar
Brian_Sutton
Copper Contributor
Aug 05, 2019

AD Connect MSOL_ User + Suspected DCSync Attack

We use AD Connect in order to replicate our on premise AD accounts to Azure AD.  The replication process is completed under the context of the 'MSOL_xxxxxxxx' user account.  The AD Connect application is installed on a member server (i.e. not on a DC).  AATP is reporting "Suspected DCSync attack (replication of directory services)" for the MSOL_ user account running on that member server.  This appears to be a false positive.  Is this a known issue/false positive?

  • Kent Nordström's avatar
    Kent Nordström
    Copper Contributor
    I just found this while searching, in relation to Defender for Identity, and if others do the same I add my response here...

    You will get this alert, Suspected DCSync attack (replication of directory services), when you start with Microsoft Defender for Identity. To Exclude the Azure AD Connect Server from causing this alert you can go to Settings - Identity - Exclusions by detection rule and add your Azure AD Connect server as an excluded device.
    • hib1000's avatar
      hib1000
      Copper Contributor
      ...is the correct answer! Thanks a lot 🙂
  • Michael Platt's avatar
    Michael Platt
    Brass Contributor
    I figured this out. You added the exclusion from the alert NOT from the exclusions page.
  • Brian_Sutton  Yes it is, you should exclude the account or the machine from this alert for now.

    (Until we will have some news on this, we are working on a feature around this case, but it will take time to see results ...)

    • SSingh's avatar
      SSingh
      Copper Contributor
      Has this been fixed or not yet?
      I am seeing frequent FP alerts in my environment from a particular MSOL_**** account.
    • Brian_Sutton's avatar
      Brian_Sutton
      Copper Contributor

      EliOfek How do I exclude this account/machine from this alert?  I only see an option to Close the alert or to Suppress it (resumes after 7 days).  Thanks!

Resources