ATP sensors...download report shows far more domain controllers than expected

Brass Contributor

On the sensors config page, it shows "Azure ATP sensors on xxx of yyy domain controllers". What we are seeing, is that yyy is definitely more domain controllers shown than in our forest.  How is ATP determining that list of DCs ?  If I download the list....I am seeing domain controllers listed that were decomm'ed some time ago, hence it looks like ATP does not update/prune its discovery list.

Anyone else see this ?

5 Replies

@StuartH . It's a known issue in case the read only AD user account  supplied to AATP does not have access to the AD Deleted objects folder.

We are working on discovering this info in another way that won't need special permissions.

This feature is now tested with select customers, and when it will be mature enough will be released to everyone, after which the mentioned report should look fine.

@EliOfek Appreciated.

Having enabled the directory account read rights to our multiple \Deleted Objects containers (we have single forest, multiple domains)...we are still seeing the "retired" sensors in the list.  Something else need to be done to kick this into life to prune things away?  

How close are you to the new "feature", where this wouldn't be needed ?

@StuartH .  giving access after the fact will not always solve the issue.

We are still perfecting the new solution, and although we do have progress I don't  have a release date yet.

I hope it will be few weeks before we can deploy it globally.

@EliOfek Well, I wondered how, after the fact, that would work....as I assumed that the service account would compare what was deleted to what was existing...but after the tombstone lifetime, how would that ever know the retired DC would exist?

No way to clean up those retired DCs some other way ?

@StuartH .  Currently no, but once the new feature is available it will detect "unreachable DCs" and mark them as missing, thus will also remove from the report.