Forum Discussion

bryanb's avatar
bryanb
Brass Contributor
Dec 04, 2019

Domain synchronizer process "all entities from a specific Active Directory domain proactively"

Hello, The MS docs for the ATP Sensor (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture) mentions the "Domain synchronizer process".   I understand one of the func...
Sensor
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Dec 04, 2019

bryanb ,

It's actually both.

WE use it to create DC's inventory, and also sync entities like Users, Machines, Groups, Domains, Sites, forests , trusts, policies.

For each entity there is a set of attributes (which are interesting to detection) that we are syncing.

 

Eli

  • bryanb's avatar
    bryanb
    Brass Contributor
    Dec 04, 2019

    EliOfek 

    Thanks for the response.   Where can I find reference to which properties of each object/entities are synced?

     

    Thanks!

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Dec 04, 2019

      bryanb 

      You can find partial info here:

      https://docs.microsoft.com/en-us/azure-advanced-threat-protection/monitored-activities

      I don't think there is an official list maintained in the docs, as it's very dynamic, and might change on a weekly basis.

      For now the rule of thumb is there we may sync anything from AD about Users, Machines, Groups, Domains, Sites, Forests, Policies, Trusts, which is not a "Secret" like a password or a hash (which are also not interesting for detection).

      Viewing the profile page of an entity you can also see some of the data we sync, although data displayed is not all the data synced.

      • bryanb's avatar
        bryanb
        Brass Contributor
        Dec 04, 2019

        EliOfek Thanks again for the update and the link.  I believe that has the details I need.   Thank you

         

         

Resources