Improved detection for deleted entities

%3CLINGO-SUB%20id%3D%22lingo-sub-1237217%22%20slang%3D%22en-US%22%3EImproved%20detection%20for%20deleted%20entities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1237217%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20happy%20to%20announce%20that%20starting%20from%20version%202.112%2C%20%3CSTRONG%3Ein%20addition%3C%2FSTRONG%3E%20to%20monitoring%20the%20%E2%80%9CDeleted%20objects%E2%80%9D%20container%2C%20Azure%20ATP%20now%20detects%20deleted%20entities%20such%20as%20groups%2C%20user%3CSPAN%20style%3D%22text-decoration%3A%20line-through%3B%22%3E%2C%3C%2FSPAN%3E%20and%20computer%20accounts.%3C%2FP%3E%0A%3CP%3EThe%20new%20event%20types%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E4726%20-%20User%20Account%20Deleted%3C%2FLI%3E%0A%3CLI%3E4743%20-%20Computer%20Account%20Deleted%3C%2FLI%3E%0A%3CLI%3E4730%20-%20Global%20Security%20Group%20Deleted%3C%2FLI%3E%0A%3CLI%3E4758%20-%20Universal%20Security%20Group%20Deleted%3C%2FLI%3E%0A%3CLI%3E4753%20-%20Global%20Distribution%20Group%20Deleted%3C%2FLI%3E%0A%3CLI%3E4763%20-%20Universal%20Distribution%20Group%20Deleted%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThis%20improved%20logic%20will%20increase%20our%20accuracy%20in%20tagging%20entities%20as%20%E2%80%9CDeleted%E2%80%9D%20and%20will%20help%20us%20deliver%20more%20accurate%20activities%20in%20the%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20you%20need%20to%20do%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EEnable%20the%20following%20account%20management%20audit%20policies%20on%20your%20domain%20controllers%20to%20trigger%20auditing%20of%20these%20events.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%20%3C%2FSTRONG%3EThe%20user%20account%20management%20policy%20is%20turned%20on%20by%20default%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Audit.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F178030iE5EA84227C69D0CB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Audit.png%22%20alt%3D%22Audit.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20also%20a%20good%20reminder%20to%20turn%20on%20our%20other%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-windows-event-collection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eevent%20audit%20policies%3C%2FA%3E%20that%20the%20Azure%20ATP%20sensor%20monitors%20for%20various%20detection%20(Such%20as%20NTLM%20authentication%20using%20Windows%20Event%208004)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHappy%20auditing.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We are happy to announce that starting from version 2.112, in addition to monitoring the “Deleted objects” container, Azure ATP now detects deleted entities such as groups, user, and computer accounts.

The new event types are:

  • 4726 - User Account Deleted
  • 4743 - Computer Account Deleted
  • 4730 - Global Security Group Deleted
  • 4758 - Universal Security Group Deleted
  • 4753 - Global Distribution Group Deleted
  • 4763 - Universal Distribution Group Deleted

This improved logic will increase our accuracy in tagging entities as “Deleted” and will help us deliver more accurate activities in the future.

 

What you need to do?

Enable the following account management audit policies on your domain controllers to trigger auditing of these events.

Note: The user account management policy is turned on by default

Audit.png

 

This is also a good reminder to turn on our other event audit policies that the Azure ATP sensor monitors for various detection (Such as NTLM authentication using Windows Event 8004)

 

Happy auditing.

0 Replies