%3CLINGO-SUB%20id%3D%22lingo-sub-1598212%22%20slang%3D%22en-US%22%3EHunt%20for%20threats%20using%20events%20captured%20by%20Azure%20ATP%20on%20your%20domain%20controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1598212%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%E2%80%99re%26nbsp%3Bthrilled%20to%20share%20that%20you%20can%20now%20hunt%20for%20threats%20using%20events%20on%20your%20domain%20controller%20with%20advanced%20hunting%20in%20Microsoft%20Threat%20Protection.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20new%20%3C%2FSPAN%3E%3CSTRONG%3EIdentityDirectoryEvents%3C%2FSTRONG%3E%3CSPAN%3E%20table%E2%80%94available%20in%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epublic%20preview%3C%2FA%3E%3CSPAN%3E%E2%80%94incorporates%20data%20from%20the%20Azure%20Advanced%20Threat%20Protection%20(Azure%20ATP)%20sensor%2C%20including%20various%20identity-related%20activities%2C%20such%20as%20account%20password%20changes%20or%20remote%20creation%20of%20scheduled%20tasks%20on%20the%20domain%20controller.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AATPTable.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213255iB3E5C990D530AA6B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22AATPTable.png%22%20alt%3D%22AATPTable.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20general%2C%20the%20table%20captures%20three%20categories%20of%20events%20on%20your%20domain%20controller%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERemote%20code%20execution%3C%2FLI%3E%0A%3CLI%3EChanges%20to%20attributes%20of%20Active%20Directory%20objects%2C%20including%20groups%2C%20users%2C%20and%20devices%3C%2FLI%3E%0A%3CLI%3EOther%20activities%20performed%20against%20the%20directory%2C%20such%20as%20replication%20or%20SMB%20session%20enumeration%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EYou%20can%20get%20the%20full%20list%20of%20supported%20events%20or%20action%20types%20in%20the%20in-portal%20reference.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AATPTable2.png%22%20style%3D%22width%3A%20786px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213256i0E34C1C13CD27A5B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22AATPTable2.png%22%20alt%3D%22AATPTable2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20some%20samples%20queries%20you%20can%20use%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%2F%2FTrack%20domain%20controller%20replication%3CBR%20%2F%3EIdentityDirectoryEvents%3CBR%20%2F%3E%7C%20where%20ActionType%20%3D%3D%20%22Directory%20Services%20replication%22%3CBR%20%2F%3E%7C%20limit%20100%3C%2FPRE%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-Run%20query%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%2F%2FTrack%20service%20creation%20activities%20on%20domain%20controllers%3CBR%20%2F%3EIdentityDirectoryEvents%3CBR%20%2F%3E%7C%20where%20ActionType%20%3D%3D%20%22Service%20creation%22%3CBR%20%2F%3E%7C%20extend%20ServiceName%20%3D%20AdditionalFields%5B%22ServiceName%22%5D%3CBR%20%2F%3E%7C%20extend%20ServiceCommand%20%3D%20AdditionalFields%5B%22ServiceCommand%22%5D%3CBR%20%2F%3E%7C%20project%20Timestamp%2C%20ActionType%2C%20Protocol%2C%20DC%20%3D%20TargetDeviceName%2C%20ServiceName%2C%20ServiceCommand%2C%20AccountDisplayName%2C%20AccountSid%2C%20AdditionalFields%3CBR%20%2F%3E%7C%20limit%20100%3C%2FPRE%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-Run%20query%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%2F%2FFind%20the%20latest%20password%20change%20event%20for%20a%20specific%20account%3CBR%20%2F%3Elet%20userAccount%20%3D%20'%3CINSERT%20your%3D%22%22%20user%3D%22%22%20account%3D%22%22%3E'%3B%3CBR%20%2F%3Elet%20deviceAccount%20%3D%20'%3CINSERT%20your%3D%22%22%20device%3D%22%22%20account%3D%22%22%3E'%3B%3CBR%20%2F%3EIdentityDirectoryEvents%3CBR%20%2F%3E%7C%20where%20ActionType%20%3D%3D%20%22Account%20Password%20changed%22%3CBR%20%2F%3E%7C%20where%20TargetAccountDisplayName%20%3D%3D%20userAccount%3CBR%20%2F%3E%2F%2FIf%20you%20are%20looking%20for%20last%20password%20change%20of%20a%20device%20account%20comment%20the%20above%20row%20and%20remove%20comment%20from%20the%20below%20row%3CBR%20%2F%3E%2F%2F%7C%20where%20TargetDeviceName%20%3D%3D%20deviceAccount%3CBR%20%2F%3E%7C%20summarize%20LastPasswordChangeTime%20%3D%20max(Timestamp)%20by%20TargetAccountDisplayName%20%2F%2F%20or%20change%20to%20TargetDeviceName%20for%20device%20account%3C%2FINSERT%3E%3C%2FINSERT%3E%3C%2FPRE%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Fhunting%3Fquery%3DH4sIAAAAAAAEAJ1U0U7CQBCcZxP_4eKL-sQHKCZENCExxgd-oJSCjZQ2bQFr_Hhnp5QcRQqay7XX7czudHbTHnp4RowlpnAo8Y6I9wUCniMUvDpkfCq4NkiRCxcSF5AzFzrCmnsp7EwYx7eOjIzxkNln3KGiIVeKldCXuGClSLwV0RGZgz2EQ5_7GvdSWCMsWgmRe7x27gey7vYqTKXTdER_ruJzj1caCWexmLvCkPdcDpRypcLTzqlCjG9m28jzXJkHwsZELzEmPlO0L31XB6rfOvsyJeO3GmMiciHKVkbTaz2z7ld45TXx6h_rkNXocY3Y5cYzpxr1JKVcH3J27s3HQtrPma5UeYMTXXA6J1JcPzezHGDCN2udc542itXzbhqT3dt2hpnwiZdrwutim6PO1Xx9l8tDT3fb1a6pbLpXMGK6LGOML7Fftv61Z-DR825MdFPLif-Jm13U2KYlw62-rPrXbNi3u21P9_tmM3-OD81E1E7Y3-Kwuz9qGJu7pgQAAA%26amp%3BrunQuery%3Dtrue%26amp%3BtimeRangeId%3Dweek%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERun%20query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20please%20let%20us%20know%20what%20you%20think%20and%20how%20we%20can%20tweak%20this%20enhancement%20further!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20learn%20more%20about%20advanced%20hunting%20in%20Microsoft%20Threat%20Protection%20and%20these%20new%20enhancements%2C%20go%20to%20the%20following%20links%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Advanced%20hunting%20overview%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-Preview%20features%3C%2FLI%3E%0A%3CLI%3E-ERR%3AREF-NOT-FOUND-MTP%20Git%20community%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-identitydirectoryevents-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIdentityDirectoryEvents%20schema%3C%2FA%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1598212%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%E2%80%99re%26nbsp%3Bthrilled%20to%20share%20that%20you%20can%20now%20hunt%20for%20threats%20using%20events%20on%20your%20domain%20controller%20with%20advanced%20hunting%20in%20Microsoft%20Threat%20Protection.%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

 

We’re thrilled to share that you can now hunt for threats using events on your domain controller with advanced hunting in Microsoft Threat Protection.

 

The new IdentityDirectoryEvents table—available in public preview—incorporates data from the Azure Advanced Threat Protection (Azure ATP) sensor, including various identity-related activities, such as account password changes or remote creation of scheduled tasks on the domain controller.

 

AATPTable.png

 

In general, the table captures three categories of events on your domain controller:

  • Remote code execution
  • Changes to attributes of Active Directory objects, including groups, users, and devices
  • Other activities performed against the directory, such as replication or SMB session enumeration

You can get the full list of supported events or action types in the in-portal reference.

 

AATPTable2.png

 

Here are some samples queries you can use:

 

//Track domain controller replication
IdentityDirectoryEvents
| where ActionType == "Directory Services replication"
| limit 100

Run query

 

//Track service creation activities on domain controllers
IdentityDirectoryEvents
| where ActionType == "Service creation"
| extend ServiceName = AdditionalFields["ServiceName"]
| extend ServiceCommand = AdditionalFields["ServiceCommand"]
| project Timestamp, ActionType, Protocol, DC = TargetDeviceName, ServiceName, ServiceCommand, AccountDisplayName, AccountSid, AdditionalFields
| limit 100

Run query

 

//Find the latest password change event for a specific account
let userAccount = '<insert your user account>';
let deviceAccount = '<insert your device account>';
IdentityDirectoryEvents
| where ActionType == "Account Password changed"
| where TargetAccountDisplayName == userAccount
//If you are looking for last password change of a device account comment the above row and remove comment from the below row
//| where TargetDeviceName == deviceAccount
| summarize LastPasswordChangeTime = max(Timestamp) by TargetAccountDisplayName // or change to TargetDeviceName for device account

Run query

 

 

As always, please let us know what you think and how we can tweak this enhancement further!

 

To learn more about advanced hunting in Microsoft Threat Protection and these new enhancements, go to the following links: