We are happy to announce that starting from version 2.112, in addition to monitoring the “Deleted objects” container, Azure ATP now detects deleted entities such as groups, user, and computer accounts.
The new event types are:
4726 - User Account Deleted
4743 - Computer Account Deleted
4730 - Global Security Group Deleted
4758 - Universal Security Group Deleted
4753 - Global Distribution Group Deleted
4763 - Universal Distribution Group Deleted
This improved logic will increase our accuracy in tagging entities as “Deleted” and will help us deliver more accurate activities in the future.
What you need to do?
Enable the following account management audit policies on your domain controllers to trigger auditing of these events.
Note: The user account management policy is turned on by default
This is also a good reminder to turn on our other event audit policies that the Azure ATP sensor monitors for various detection (Such as NTLM authentication using Windows Event 8004)