Azure ATP Unresolved Entity

Hi Christian,

We had something similar from "MSTSC" - hopefully the details below will help you identify things further? The process followed was:

On the specific Domain Controller that is being targeted - use the following:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-au%2Fhelp%2F109626%2Fenabling-debug-logging-for-the-netlogon-service&data=02%7C01%7CGerson.Levitz%40microsoft.com%7C59a29302caf542b4237508d5c1270cba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636627295850223680&sdata=xHISuMyDxTmwZ9uCYh%2FxYCbbBiT%2FyoqamyaEuiR1wLA%3D&reserved=0

Enable:

Nltest /DBFlag:1004

net stop netlogon

net start netlogon

Disable:

Nltest /DBFlag:0x0

net stop netlogon

net start netlogon

The value of 1004 should focus on:

#define NL_LOGON                        0x00000004 // Logon processing

#define NL_SERVER_SESS             0x00001000 // Server session maintenance

(more details at the bottom of that KB Article)

Log files end up in %windir%\debug\netlogon.log

From this we were able to identify the specific machine that was being used to attempt to login via the RDP Client - hence the use of MSTSC.exe in the Azure ATP logs - and then backtrack from there. We did make the comment in feedback to the Azure ATP team that it seemed strange that this wasn't flagged as an RDP login in the first place...? I'm guessing what you might be seeing is a connection via the Workstation service perhaps?

Hope that helps 

what do you mean by "partially resolved via a global catalog" ?

Usually when an entity is resolved from AD it's fully resolved, and if it's partial, we don't get info from AD at all.