Forum Discussion
SAMR Discovery Process
For the SAM-R, we understand the following is required "Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Azure ATP Service account created during Azure ATP installation.
My question is around the SAM-R process from the sensors to the domain members and network access rules (FW). Our AD site is a standard hub and spoke with several dozen branch office locations.
What determines which ATP sensor is used to queries a domain members?
Does the Sensor only perform the SAMR discovery against the domain members in its AD site or some other discovery mechanism?
Does each domain sensor need SAM-R/SMB access to ALL domain members?
Example:
AD-Branch1 server only requires TCP445 to networks in Branch1.
Thank you
5 Replies
- EliOfek
Microsoft
bryanb Some clarifications:
- the account use to authenticate with those SAMR requests is not the service account , but the configured AD/gmsa account in th eportal.
A sensor might issue the inquiry to any endpoint that contacted the DC it is installed on, no matter where it is located.
So all sensors need port access to all endpoints in the network.EliOfek Thanks for the reply!
Correct, the gMSA will be used.
We have a highly segmented environment. A DC in BO#1 is not permitted to access a domain member in BO#2, firewall rules. We to allow domain members in a site access to the DC in that site and the DCs in our hub site. If I understand your reply, we won't have any issues since a DC in BO#2 will never authenticate a endpoint in BO#3, no firewall rules.
In a multiple domain forest, the sensors only perform this SAMR function within the DC's server domain, right?
