Domain synchronizer process "all entities from a specific Active Directory domain proactively"

%3CLINGO-SUB%20id%3D%22lingo-sub-1047007%22%20slang%3D%22en-US%22%3EDomain%20synchronizer%20process%20%22all%20entities%20from%20a%20specific%20Active%20Directory%20domain%20proactively%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047007%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EThe%20MS%20docs%20for%20the%20ATP%20Sensor%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-architecture%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-architecture%3C%2FA%3E)%20mentions%20the%20%22%3CSPAN%3EDomain%20synchronizer%20process%22.%26nbsp%3B%20%26nbsp%3BI%20understand%20one%20of%20the%20functions%20of%20this%20process%20is%20to%20identify%20ADDS%20servers%20that%20do%20not%20have%20the%20ATP%20Sensor%20installed.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EThe%20other%20function%20this%20performs%20is%20the%20synchronizing%20of%20entities.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20trying%20to%20understand%20what%20%22all%20entities%22%20is%20referencing%20in%20the%20following%20statement%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mainContainer%20%20uhf-container%20has-top-padding%20%20has-default-focus%22%3E%3CDIV%20class%3D%22columns%20has-large-gaps%20is-gapless-mobile%20%22%3E%3CDIV%20class%3D%22columns%20is-gapless-mobile%20has-large-gaps%20%22%3E%3CDIV%20class%3D%22column%20is-full%20is-four-fifths-desktop%22%3E%3CP%3E%22The%20domain%20synchronizer%20process%20is%20responsible%20for%20%3CSTRONG%3Esynchronizing%20all%20entities%20from%20a%20specific%20Active%20Directory%20domain%20proactively%3C%2FSTRONG%3E%20(similar%20to%20the%20mechanism%20used%20by%20the%20domain%20controllers%20themselves%20for%20replication).%22%26nbsp%3B%20Is%20this%20process%20replicate%20any%20ADDS%20object%20attributes%20to%20the%20ATP%20instance%3F%26nbsp%3B%20Or%2C%20is%20the%20purpose%20of%20this%20role%20only%20to%20look%20for%20infrastructure%20changes%20within%20the%20domain%2Fforest%2C%20such%20as%20domain%20controllers%20being%20added%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1047007%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDomain%20synchronizer%20process%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047300%22%20slang%3D%22en-US%22%3ERe%3A%20Domain%20synchronizer%20process%20%22all%20entities%20from%20a%20specific%20Active%20Directory%20domain%20proactive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173807%22%20target%3D%22_blank%22%3E%40Bryan%20Bishop%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EIt's%20actually%20both.%3C%2FP%3E%0A%3CP%3EWE%20use%20it%20to%20create%20DC's%20inventory%2C%20and%20also%20sync%20entities%20like%20Users%2C%20Machines%2C%20Groups%2C%20Domains%2C%20Sites%2C%20forests%20%2C%20trusts%2C%20policies.%3C%2FP%3E%0A%3CP%3EFor%20each%20entity%20there%20is%20a%20set%20of%20attributes%20(which%20are%20interesting%20to%20detection)%20that%20we%20are%20syncing.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEli%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047470%22%20slang%3D%22en-US%22%3ERe%3A%20Domain%20synchronizer%20process%20%22all%20entities%20from%20a%20specific%20Active%20Directory%20domain%20proactive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047470%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response.%26nbsp%3B%20%26nbsp%3BWhere%20can%20I%20find%20reference%20to%20which%20properties%20of%20each%20object%2Fentities%20are%20synced%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047507%22%20slang%3D%22en-US%22%3ERe%3A%20Domain%20synchronizer%20process%20%22all%20entities%20from%20a%20specific%20Active%20Directory%20domain%20proactive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047507%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173807%22%20target%3D%22_blank%22%3E%40Bryan%20Bishop%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20partial%20info%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fmonitored-activities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fmonitored-activities%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EI%20don't%20think%20there%20is%20an%20official%20list%20maintained%20in%20the%20docs%2C%20as%20it's%20very%20dynamic%2C%20and%20might%20change%20on%20a%20weekly%20basis.%3C%2FP%3E%0A%3CP%3EFor%20now%20the%20rule%20of%20thumb%20is%20there%20we%20may%20sync%20anything%20from%20AD%20about%20Users%2C%20Machines%2C%20Groups%2C%20Domains%2C%20Sites%2C%20Forests%2C%20Policies%2C%20Trusts%2C%20which%20is%20not%20a%20%22Secret%22%20like%20a%20password%20or%20a%20hash%20(which%20are%20also%20not%20interesting%20for%20detection).%3C%2FP%3E%0A%3CP%3EViewing%20the%20profile%20page%20of%20an%20entity%20you%20can%20also%20see%20some%20of%20the%20data%20we%20sync%2C%20although%20data%20displayed%20is%20not%20all%20the%20data%20synced.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047680%22%20slang%3D%22en-US%22%3ERe%3A%20Domain%20synchronizer%20process%20%22all%20entities%20from%20a%20specific%20Active%20Directory%20domain%20proactive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047680%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BThanks%20again%20for%20the%20update%20and%20the%20link.%26nbsp%3B%20I%20believe%20that%20has%20the%20details%20I%20need.%26nbsp%3B%20%26nbsp%3BThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello,

The MS docs for the ATP Sensor (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture) mentions the "Domain synchronizer process".   I understand one of the functions of this process is to identify ADDS servers that do not have the ATP Sensor installed. The other function this performs is the synchronizing of entities.  

 

I'm trying to understand what "all entities" is referencing in the following statement: 

"The domain synchronizer process is responsible for synchronizing all entities from a specific Active Directory domain proactively (similar to the mechanism used by the domain controllers themselves for replication)."  Is this process replicate any ADDS object attributes to the ATP instance?  Or, is the purpose of this role only to look for infrastructure changes within the domain/forest, such as domain controllers being added?

 

Thanks

4 Replies
Highlighted

@Bryan Bishop ,

It's actually both.

WE use it to create DC's inventory, and also sync entities like Users, Machines, Groups, Domains, Sites, forests , trusts, policies.

For each entity there is a set of attributes (which are interesting to detection) that we are syncing.

 

Eli

Highlighted

@Eli Ofek 

Thanks for the response.   Where can I find reference to which properties of each object/entities are synced?

 

Thanks!

Highlighted

@Bryan Bishop 

You can find partial info here:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/monitored-activities

I don't think there is an official list maintained in the docs, as it's very dynamic, and might change on a weekly basis.

For now the rule of thumb is there we may sync anything from AD about Users, Machines, Groups, Domains, Sites, Forests, Policies, Trusts, which is not a "Secret" like a password or a hash (which are also not interesting for detection).

Viewing the profile page of an entity you can also see some of the data we sync, although data displayed is not all the data synced.

Highlighted

@Eli Ofek Thanks again for the update and the link.  I believe that has the details I need.   Thank you