Forum Discussion

bryanb's avatar
bryanb
Brass Contributor
Dec 04, 2019

Domain synchronizer process "all entities from a specific Active Directory domain proactively"

Hello, The MS docs for the ATP Sensor (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture) mentions the "Domain synchronizer process".   I understand one of the func...
Sensor
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Dec 04, 2019

bryanb ,

It's actually both.

WE use it to create DC's inventory, and also sync entities like Users, Machines, Groups, Domains, Sites, forests , trusts, policies.

For each entity there is a set of attributes (which are interesting to detection) that we are syncing.

 

Eli

bryanb's avatar
bryanb
Brass Contributor
Dec 04, 2019

EliOfek 

Thanks for the response.   Where can I find reference to which properties of each object/entities are synced?

 

Thanks!

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Dec 04, 2019

    bryanb 

    You can find partial info here:

    https://docs.microsoft.com/en-us/azure-advanced-threat-protection/monitored-activities

    I don't think there is an official list maintained in the docs, as it's very dynamic, and might change on a weekly basis.

    For now the rule of thumb is there we may sync anything from AD about Users, Machines, Groups, Domains, Sites, Forests, Policies, Trusts, which is not a "Secret" like a password or a hash (which are also not interesting for detection).

    Viewing the profile page of an entity you can also see some of the data we sync, although data displayed is not all the data synced.

    • bryanb's avatar
      bryanb
      Brass Contributor
      Dec 04, 2019

      EliOfek Thanks again for the update and the link.  I believe that has the details I need.   Thank you

       

       

Resources