Azure ATP & Your Advanced Audit Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-241233%22%20slang%3D%22en-US%22%3EAzure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-241233%22%20slang%3D%22en-US%22%3E%3CP%3EA%20common%20issue%20with%20many%20security%20products%20is%20the%20lack%20of%20visibility%20as%20to%20the%20configuration%20status%20of%20your%20connectors%2C%20events%20and%20data%20sources.%20Without%20proper%20configuration%2C%20you%20organization%20remains%20unprotected%20in%20key%20areas.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20ensure%20Azure%20ATP%20is%20receiving%20the%20correct%20windows%20events%2C%20providing%20you%20with%20maximum%20coverage%2C%20we%E2%80%99ve%20added%20a%20new%20audit%20policy%20check%20to%20the%20Azure%20ATP%20sensor.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Azure%20ATP%20sensor%20installed%20on%20each%20domain%20controller%20now%20checks%20if%20your%20domain%20controller%E2%80%99s%20Advanced%20Audit%20Policy%20is%20configured%20correctly%2C%20and%20issues%20a%20health%20alert%20in%20the%20event%20of%20a%20misconfiguration.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Advanced%20Audit%20Policy%20provides%20key%20information%20allowing%20Azure%20ATP%20to%20identify%20and%20alert%20you%20to%20group%20membership%20changes%20(what%20changes%20were%20made%2C%20and%20who%20made%20the%20change)%2C%20enhanced%20detection%20for%20abnormal%20group%20modification%20alerts%2C%20and%20visibility%20to%20resource%20access%20via%20NTLM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20and%20remediation%20steps%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Faatp%2Faudit%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Eaka.ms%2Faatp%2Faudit%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20ATP%2C%20giving%20you%20more%20to%20protect%20your%20environment.%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20your%20feedback%20is%20welcome.%20Stay%20tuned%20for%20additional%20updates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44682i6DA6CA1B6549DB21%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Advanced%20Audit%20Policy.JPG%22%20title%3D%22Advanced%20Audit%20Policy.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251957%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251957%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%26nbsp%3B%20It's%20a%20bug%2C%20a%20fix%20is%20on%20its%20way...%20not%20sure%20when%20it%20will%20be%20deployed%20yet%2C%20so%20for%20now%20I%20suggest%20to%20suppress%20the%20alert.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251947%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251947%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20updates%20on%20this%3F%20Is%20the%20ATP%20team%20looking%20in%20the%20wrong%20location%20for%20the%20policy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250713%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250713%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20able%20to%20see%20the%20file%20under%26nbsp%3B%5C%5C%3CSTRONG%3E%5BDomainDnsName%5D%3C%2FSTRONG%3E%5CSYSVOL%5C%3CSTRONG%3E%5BDomainDnsName%5D%3C%2FSTRONG%3E%5CPolicies%5C%7B6AC1786C-016F-11D2-945F-00C04FB984F9%7D%5CMACHINE%5CMicrosoft%5CWindows%20NT%5CAudit%5Caudit.csv%20which%20is%20the%20correct%20path%20for%20the%20Default%20Domain%20Controller%20Policy%2C%20but%20not%20the%20path%20you%26nbsp%3Bshared%2C%20which%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F188993%22%20target%3D%22_blank%22%3E%40Alex%20Entringer%3C%2FA%3E%26nbsp%3Bmentioned%2C%20appears%20to%20be%20for%20the%20Default%20Domain%20Policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250642%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250642%22%20slang%3D%22en-US%22%3E%3CP%3EIsn't%20that%20the%20wrong%20GUID%20for%20the%20Default%20Domain%20Controllers%20policy%3F%20My%20understanding%20is%20that%20the%20GUID%20you%20provided%20is%20for%20the%20Default%20Domain%20Policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F556025%2Fhow-to-manually-create-default-domain-gpo%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20to%20create%20the%20default%20domain%20policies%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250638%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250638%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20folder%20shows%20empty.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250633%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250633%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20navigate%20to%20this%20path%3A%3C%2FP%3E%0A%3CP%3E%5C%5C%3CSTRONG%3E%5BDomainDnsName%5D%3C%2FSTRONG%3E%5Csysvol%5C%3CSTRONG%3E%5BDomainDnsName%5D%3C%2FSTRONG%3E%5CPolicies%5C%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D%5CMACHINE%5CMicrosoft%5CWindows%20NT%5CAudit%5Caudit.csv%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20let%20us%20know%20in%20each%20of%20the%20cases%20if%20the%20files%20was%20existing%3F%3C%2FP%3E%0A%3CP%3E(replace%26nbsp%3B%3CSTRONG%3EDomainDnsName%3C%2FSTRONG%3E%20with%20your%20real%20full%20dns%20name...)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250626%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250626%22%20slang%3D%22en-US%22%3E%3CP%3EI%20also%20see%20the%20same%20behavior.%20For%20it%20looks%20like%20a%20bug%20in%20how%20AzureATP%20detects%20that%20the%20GPO%20is%20missing.%20In%20my%20lab%2C%20I%20also%20edited%20the%20Default%20Domain%20Controller%20Policy%2C%20but%20the%20alert%20still%20stays%20in%20the%20AzureATP%20console.%3CBR%20%2F%3EHowever%2C%20after%20I%20edited%20the%20local%20GPO%20directly%20on%20each%20domain%20controller%20(using%20gpedit.msc)%2C%20the%20alert%20went%20away.%20Either%20the%20documentation%20are%20not%20correct%2C%20or%20it's%20something%20wrong%20with%20how%20the%20portal%20detects%20if%20advanced%20auditing%20are%20turned%20on%20or%20off.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250625%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250625%22%20slang%3D%22en-US%22%3ESame%20here%2C%20followed%20the%20documentation%20exactly.%20The%20auditing%20policy%20is%20set%20on%20the%20Default%20Domain%20Controller%20Policy.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250618%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250618%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20default%20domain%20controller%20policy%20is%20configured%20as%20described%20in%20the%20article.%20Is%20there%20a%20security%20right%20that%20the%20agent%20needs%20to%20read%20the%20group%20policies%20that%20it%20might%20not%20have%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-248185%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-248185%22%20slang%3D%22en-US%22%3ERight%20now%20we%20only%20support%20reading%20the%20default%20domain%20controllers%20policy.%20We%20are%20working%20on%20supporting%20customs%20domain%20policy.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20suppress%20the%20alert%2C%20so%20it%20won%E2%80%99t%20reopen%20again%20for%20a%20week.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-246161%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-246161%22%20slang%3D%22en-US%22%3E%3CP%3ERunning%20into%20the%20same%20issue%20on%20our%20tenant.%20If%20I%20close%20the%20health%20event%20it%20reoccurs%20within%2024%20hours.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242825%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20%26amp%3B%20Your%20Advanced%20Audit%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242825%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20running%20gpresult%20%2Fh%20%7Bfilename%7D%20I%20can%20see%20in%20the%20results%20that%20both%20%22Audit%20Credential%20Validation%22%20and%20%22Audit%20Security%20Group%20Management%22%20are%20set%20to%20%22Success%2C%20Failure%22%20by%20the%20winning%20GPO%20%22Default%20Domain%20Controllers%20Policy%22.%20Given%20that%20I%20don't%20understand%20why%20I%20am%20getting%20the%20new%20alert.%20Is%20there%20somewhere%20else%20I%20should%20be%20looking%20to%20troubleshoot%20why%20this%20alert%20is%20being%20fired%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

A common issue with many security products is the lack of visibility as to the configuration status of your connectors, events and data sources. Without proper configuration, you organization remains unprotected in key areas.

 

To ensure Azure ATP is receiving the correct windows events, providing you with maximum coverage, we’ve added a new audit policy check to the Azure ATP sensor.

 

The Azure ATP sensor installed on each domain controller now checks if your domain controller’s Advanced Audit Policy is configured correctly, and issues a health alert in the event of a misconfiguration.

 

The Advanced Audit Policy provides key information allowing Azure ATP to identify and alert you to group membership changes (what changes were made, and who made the change), enhanced detection for abnormal group modification alerts, and visibility to resource access via NTLM.

 

For more information and remediation steps: aka.ms/aatp/audit

 

Azure ATP, giving you more to protect your environment.

As always, your feedback is welcome. Stay tuned for additional updates.

 

 

Advanced Audit Policy.JPG

12 Replies

When running gpresult /h {filename} I can see in the results that both "Audit Credential Validation" and "Audit Security Group Management" are set to "Success, Failure" by the winning GPO "Default Domain Controllers Policy". Given that I don't understand why I am getting the new alert. Is there somewhere else I should be looking to troubleshoot why this alert is being fired?

 

Running into the same issue on our tenant. If I close the health event it reoccurs within 24 hours.

Right now we only support reading the default domain controllers policy. We are working on supporting customs domain policy.

You can suppress the alert, so it won’t reopen again for a week.

Our default domain controller policy is configured as described in the article. Is there a security right that the agent needs to read the group policies that it might not have?

Same here, followed the documentation exactly. The auditing policy is set on the Default Domain Controller Policy.

I also see the same behavior. For it looks like a bug in how AzureATP detects that the GPO is missing. In my lab, I also edited the Default Domain Controller Policy, but the alert still stays in the AzureATP console.
However, after I edited the local GPO directly on each domain controller (using gpedit.msc), the alert went away. Either the documentation are not correct, or it's something wrong with how the portal detects if advanced auditing are turned on or off.

Can you navigate to this path:

\\[DomainDnsName]\sysvol\[DomainDnsName]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv

 

and let us know in each of the cases if the files was existing?

(replace DomainDnsName with your real full dns name...)

My folder shows empty.

Isn't that the wrong GUID for the Default Domain Controllers policy? My understanding is that the GUID you provided is for the Default Domain Policy.

 

How to create the default domain policies

 

I'm able to see the file under \\[DomainDnsName]\SYSVOL\[DomainDnsName]\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv which is the correct path for the Default Domain Controller Policy, but not the path you shared, which as @Alex Entringer mentioned, appears to be for the Default Domain Policy.

Any updates on this? Is the ATP team looking in the wrong location for the policy?

Yes,  It's a bug, a fix is on its way... not sure when it will be deployed yet, so for now I suggest to suppress the alert.