Azure ATP Unresolved Entity

%3CLINGO-SUB%20id%3D%22lingo-sub-252724%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Unresolved%20Entity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252724%22%20slang%3D%22en-US%22%3E%3CP%3ESince%203%20days%20ago%20we%20have%20an%20entity%20in%20Azure%20ATP%20called%20WORKSTATION%20that%20has%20the%20tag%20Unresolved%20(%3CSPAN%20class%3D%22entityInformationStateTooltipDescription%20ng-binding%22%3EThis%20user%2Fcomputer%2Fgroup%20was%20not%20synced%20from%20the%20domain%2C%20and%20was%20partially%20resolved%20via%20a%20global%20catalog.%20Some%20attributes%20are%20not%20available).%20When%20checking%20the%20entity's%20timeline%20activites%20there%20are%20multiple%20logon%20failed%20attempts%20using%20a%20wrong%20password%20from%20random%20users.%20There%20is%20also%20a%20failed%20attempt%20from%20a%20non%20existent%20domain%20account.%20Does%20anyone%20have%20any%20ideas%20where%20did%20this%20appeared%20and%20how%20can%20I%20investigate%20this%20(get%20to%20the%20bottom%20of%20this)%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253262%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Unresolved%20Entity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253262%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Christian%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20something%20similar%20from%20%22MSTSC%22%20-%20hopefully%20the%20details%20below%20will%20help%20you%20identify%20things%20further%3F%26nbsp%3BThe%20process%20followed%20was%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EOn%20the%20specific%20Domain%20Controller%20that%20is%20being%20targeted%20-%20use%20the%20following%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fsupport.microsoft.com%252Fen-au%252Fhelp%252F109626%252Fenabling-debug-logging-for-the-netlogon-service%26amp%3Bdata%3D02%257C01%257CGerson.Levitz%2540microsoft.com%257C59a29302caf542b4237508d5c1270cba%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636627295850223680%26amp%3Bsdata%3DxHISuMyDxTmwZ9uCYh%252FxYCbbBiT%252FyoqamyaEuiR1wLA%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-au%2Fhelp%2F109626%2Fenabling-debug-logging-for-the-netlogon-service%20%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EEnable%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ENltest%20%2FDBFlag%3A1004%3C%2FP%3E%3CP%3Enet%20stop%20netlogon%3C%2FP%3E%3CP%3Enet%20start%20netlogon%3C%2FP%3E%3CP%3E%3CSPAN%3EDisable%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ENltest%20%2FDBFlag%3A0x0%3C%2FP%3E%3CP%3Enet%20stop%20netlogon%3C%2FP%3E%3CP%3Enet%20start%20netlogon%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20value%20of%201004%20should%20focus%20on%3A%3C%2FP%3E%3CP%3E%23define%20NL_LOGON%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200x00000004%20%2F%2F%20Logon%20processing%3C%2FP%3E%3CP%3E%23define%20NL_SERVER_SESS%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200x00001000%20%2F%2F%20Server%20session%20maintenance%3C%2FP%3E%3CP%3E(more%20details%20at%20the%20bottom%20of%20that%20KB%20Article)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELog%20files%20end%20up%20in%20%25windir%25%5Cdebug%5Cnetlogon.log%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20this%20we%20were%20able%20to%20identify%20the%20specific%20machine%20that%20was%20being%20used%20to%20attempt%20to%20login%20via%20the%20RDP%20Client%20-%20hence%20the%20use%20of%20MSTSC.exe%20in%20the%20Azure%20ATP%20logs%20-%20and%20then%20backtrack%20from%20there.%20We%20did%20make%20the%20comment%20in%20feedback%20to%20the%20Azure%20ATP%20team%20that%20it%20seemed%20strange%20that%20this%20wasn't%20flagged%20as%20an%20RDP%20login%20in%20the%20first%20place...%3F%20I'm%20guessing%20what%20you%20might%20be%20seeing%20is%20a%20connection%20via%20the%20Workstation%20service%20perhaps%3F%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252889%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Unresolved%20Entity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252889%22%20slang%3D%22en-US%22%3E%3CP%3Ewhat%20do%20you%20mean%20by%20%22%3CSPAN%3Epartially%20resolved%20via%20a%20global%20catalog%22%20%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EUsually%20when%20an%20entity%20is%20resolved%20from%20AD%20it's%20fully%20resolved%2C%20and%20if%20it's%20partial%2C%20we%20don't%20get%20info%20from%20AD%20at%20all.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Since 3 days ago we have an entity in Azure ATP called WORKSTATION that has the tag Unresolved (This user/computer/group was not synced from the domain, and was partially resolved via a global catalog. Some attributes are not available). When checking the entity's timeline activites there are multiple logon failed attempts using a wrong password from random users. There is also a failed attempt from a non existent domain account. Does anyone have any ideas where did this appeared and how can I investigate this (get to the bottom of this)?

2 Replies
Highlighted

what do you mean by "partially resolved via a global catalog" ?

Usually when an entity is resolved from AD it's fully resolved, and if it's partial, we don't get info from AD at all.

Highlighted

Hi Christian,

 

We had something similar from "MSTSC" - hopefully the details below will help you identify things further? The process followed was:

On the specific Domain Controller that is being targeted - use the following:

https://support.microsoft.com/en-au/help/109626/enabling-debug-logging-for-the-netlogon-service

 

Enable:

Nltest /DBFlag:1004

net stop netlogon

net start netlogon

Disable:

Nltest /DBFlag:0x0

net stop netlogon

net start netlogon

 

The value of 1004 should focus on:

#define NL_LOGON                        0x00000004 // Logon processing

#define NL_SERVER_SESS             0x00001000 // Server session maintenance

(more details at the bottom of that KB Article)

 

Log files end up in %windir%\debug\netlogon.log

 

From this we were able to identify the specific machine that was being used to attempt to login via the RDP Client - hence the use of MSTSC.exe in the Azure ATP logs - and then backtrack from there. We did make the comment in feedback to the Azure ATP team that it seemed strange that this wasn't flagged as an RDP login in the first place...? I'm guessing what you might be seeing is a connection via the Workstation service perhaps?

Hope that helps