Mar 19 2020 12:00 AM
We are happy to announce that starting from version 2.112, in addition to monitoring the “Deleted objects” container, Azure ATP now detects deleted entities such as groups, user, and computer accounts.
The new event types are:
This improved logic will increase our accuracy in tagging entities as “Deleted” and will help us deliver more accurate activities in the future.
What you need to do?
Enable the following account management audit policies on your domain controllers to trigger auditing of these events.
Note: The user account management policy is turned on by default
This is also a good reminder to turn on our other event audit policies that the Azure ATP sensor monitors for various detection (Such as NTLM authentication using Windows Event 8004)
Happy auditing.