Forum Discussion
rob_wood_8894
Apr 26, 2022Brass Contributor
Filtering OUs/Users
Hello, I am a newbie in the world of MDI and on the project i've just joined the end client has a requirement to protect a group of sensitive users housed in an OU in a child domain. There is a ...
- May 19, 2022It does, but it has some latency.
Jsut want to make sure you understand that even if you can "make it work" "good enough" now,
no one promises you that it will stay like that over time, as it it not designed which such approach in mind. a future code change might change things.
I still think that there could be cases where such data will be displayed even if not resolved properly.
EliOfek
Microsoft
You have prevented the AD sync, which means that as log as we never had permissions to read the entity, we won't sync it and it won't be "copied" to azure.
having said that, if the blocked entity will create actual network activity to the DC running the sensor, we will still see the activity, and might still see and capture account details that are in this activity (for example samName, upnName, possibly Display name) , and while we won't be able to resolve them to an AD entity, we will still have them in azure and display them.
MDI was not designed in the first place for this approach, and probably will never be as it does not make any sense security wise.
having said that, if the blocked entity will create actual network activity to the DC running the sensor, we will still see the activity, and might still see and capture account details that are in this activity (for example samName, upnName, possibly Display name) , and while we won't be able to resolve them to an AD entity, we will still have them in azure and display them.
MDI was not designed in the first place for this approach, and probably will never be as it does not make any sense security wise.
rob_wood_8894
May 19, 2022Brass Contributor
Hi Eli,
We appreciate that this is an unsupported activity and that it is nonsensical from a security perspective, however, these activities have been a necessary evil as we likely won't get approval to install sensors without this exclusion.
As far as activities are concerned, i used a non protected account to log on to a network device and this was reported in Advanced hunting queries. I did the same activity with a protected account and this wasn't reported in the same query. I assume Advanced Hunting runs its queries against Azure?
We appreciate that this is an unsupported activity and that it is nonsensical from a security perspective, however, these activities have been a necessary evil as we likely won't get approval to install sensors without this exclusion.
As far as activities are concerned, i used a non protected account to log on to a network device and this was reported in Advanced hunting queries. I did the same activity with a protected account and this wasn't reported in the same query. I assume Advanced Hunting runs its queries against Azure?
- EliOfekMay 19, 2022MicrosoftIt does, but it has some latency.
Jsut want to make sure you understand that even if you can "make it work" "good enough" now,
no one promises you that it will stay like that over time, as it it not designed which such approach in mind. a future code change might change things.
I still think that there could be cases where such data will be displayed even if not resolved properly.- rob_wood_8894May 19, 2022Brass ContributorThanks Eli, that helps a lot. I can use the points you make as caveats in the document we are submitting to the client