Sep 02 2018 04:47 AM
A common issue with many security products is the lack of visibility as to the configuration status of your connectors, events and data sources. Without proper configuration, you organization remains unprotected in key areas.
To ensure Azure ATP is receiving the correct windows events, providing you with maximum coverage, we’ve added a new audit policy check to the Azure ATP sensor.
The Azure ATP sensor installed on each domain controller now checks if your domain controller’s Advanced Audit Policy is configured correctly, and issues a health alert in the event of a misconfiguration.
The Advanced Audit Policy provides key information allowing Azure ATP to identify and alert you to group membership changes (what changes were made, and who made the change), enhanced detection for abnormal group modification alerts, and visibility to resource access via NTLM.
For more information and remediation steps: aka.ms/aatp/audit
Azure ATP, giving you more to protect your environment.
As always, your feedback is welcome. Stay tuned for additional updates.
Sep 06 2018 09:29 AM
When running gpresult /h {filename} I can see in the results that both "Audit Credential Validation" and "Audit Security Group Management" are set to "Success, Failure" by the winning GPO "Default Domain Controllers Policy". Given that I don't understand why I am getting the new alert. Is there somewhere else I should be looking to troubleshoot why this alert is being fired?
Sep 07 2018 03:56 PM
Running into the same issue on our tenant. If I close the health event it reoccurs within 24 hours.
Sep 08 2018 12:14 AM
Sep 08 2018 12:44 PM
Our default domain controller policy is configured as described in the article. Is there a security right that the agent needs to read the group policies that it might not have?
Sep 08 2018 01:18 PM
Sep 08 2018 01:25 PM
I also see the same behavior. For it looks like a bug in how AzureATP detects that the GPO is missing. In my lab, I also edited the Default Domain Controller Policy, but the alert still stays in the AzureATP console.
However, after I edited the local GPO directly on each domain controller (using gpedit.msc), the alert went away. Either the documentation are not correct, or it's something wrong with how the portal detects if advanced auditing are turned on or off.
Sep 08 2018 03:17 PM
Can you navigate to this path:
\\[DomainDnsName]\sysvol\[DomainDnsName]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv
and let us know in each of the cases if the files was existing?
(replace DomainDnsName with your real full dns name...)
Sep 08 2018 05:42 PM
Isn't that the wrong GUID for the Default Domain Controllers policy? My understanding is that the GUID you provided is for the Default Domain Policy.
How to create the default domain policies
Sep 09 2018 04:43 PM
I'm able to see the file under \\[DomainDnsName]\SYSVOL\[DomainDnsName]\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv which is the correct path for the Default Domain Controller Policy, but not the path you shared, which as @Alex Entringer mentioned, appears to be for the Default Domain Policy.
Sep 12 2018 02:39 PM
Any updates on this? Is the ATP team looking in the wrong location for the policy?
Sep 12 2018 03:04 PM
Yes, It's a bug, a fix is on its way... not sure when it will be deployed yet, so for now I suggest to suppress the alert.