Forum Discussion
Azure ATP & Your Advanced Audit Policy
A common issue with many security products is the lack of visibility as to the configuration status of your connectors, events and data sources. Without proper configuration, you organization remains unprotected in key areas.
To ensure Azure ATP is receiving the correct windows events, providing you with maximum coverage, we’ve added a new audit policy check to the Azure ATP sensor.
The Azure ATP sensor installed on each domain controller now checks if your domain controller’s Advanced Audit Policy is configured correctly, and issues a health alert in the event of a misconfiguration.
The Advanced Audit Policy provides key information allowing Azure ATP to identify and alert you to group membership changes (what changes were made, and who made the change), enhanced detection for abnormal group modification alerts, and visibility to resource access via NTLM.
For more information and remediation steps: aka.ms/aatp/audit
Azure ATP, giving you more to protect your environment.
As always, your feedback is welcome. Stay tuned for additional updates.
12 Replies
I also see the same behavior. For it looks like a bug in how AzureATP detects that the GPO is missing. In my lab, I also edited the Default Domain Controller Policy, but the alert still stays in the AzureATP console.
However, after I edited the local GPO directly on each domain controller (using gpedit.msc), the alert went away. Either the documentation are not correct, or it's something wrong with how the portal detects if advanced auditing are turned on or off.- EliOfek
Microsoft
Can you navigate to this path:
\\[DomainDnsName]\sysvol\[DomainDnsName]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv
and let us know in each of the cases if the files was existing?
(replace DomainDnsName with your real full dns name...)
Any updates on this? Is the ATP team looking in the wrong location for the policy?
- Right now we only support reading the default domain controllers policy. We are working on supporting customs domain policy.
You can suppress the alert, so it won’t reopen again for a week.Our default domain controller policy is configured as described in the article. Is there a security right that the agent needs to read the group policies that it might not have?
- Same here, followed the documentation exactly. The auditing policy is set on the Default Domain Controller Policy.
When running gpresult /h {filename} I can see in the results that both "Audit Credential Validation" and "Audit Security Group Management" are set to "Success, Failure" by the winning GPO "Default Domain Controllers Policy". Given that I don't understand why I am getting the new alert. Is there somewhere else I should be looking to troubleshoot why this alert is being fired?
Running into the same issue on our tenant. If I close the health event it reoccurs within 24 hours.
