cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCAS Activity log: "back and forth" entries on changed properties

DanPan
Copper Contributor

‎May 20 2021 08:19 AM

‎May 20 2021 08:19 AM

MCAS Activity log: "back and forth" entries on changed properties

Hi everyone,

 

In MCAS Activity log we have many "back and forth" entries regarding the property "Computer Operating System" & "AccountSupportedEncryptionTypes" changed from N/A to a value and 3 minutes later the property changed back from a value to N/A.

 

Examples:

5/15/21 3:20 AM

propertyComputer Operating System device AWxxxxx001 from property Windows Server 2019 Datacenter, 10.0 (17763) to property N/A

5/15/21 3:23 AM

property: Computer Operating System device AWxxxxx001 from property N/A to property Windows Server 2019 Datacenter, 10.0 (17763)

 

5/15/21 3:20 AM

Set propertyAccountSupportedEncryptionTypes device AWxxxxx001 from property Rc4,Aes128,Aes256 to property N/A

5/15/21 3:23 AM

Set propertyAccountSupportedEncryptionTypes device AWxxxxx001 from property N/A to property Rc4,Aes128,Aes256

5/15/21 3:24 AM

Set property: AccountSupportedEncryptionTypes device AWxxxxx001 from property Rc4,Aes128,Aes256 to property N/A


I suppose these property changes are detected by MDI on the AD computer attribute object.

 

We have many similar cases, in this example the device is a Domain Controller, created one year ago.
We do not touch the attributes msDS-SupportedEncryptionTypes, operatingSystem or operatingSystemVersion in AD.

 

Any idea who detected these property changes (MDI?) and why?


Best regards,
Danny

MDI_MCAS_Activity_log_set_property_back_and_forth.jpg

 

MDI_MCAS_Activity_log_set_property_back_and_forth_2.jpg

713 Views
0 Likes
1 Reply
Reply
1 Reply
Eli Ofek

‎May 23 2021 03:19 AM

‎May 23 2021 03:19 AM

Re: MCAS Activity log: "back and forth" entries on changed properties

Those are detected by MDI. MDI follows the usn changes on those entities, and when the usn # changes, it checks what has changed from the previous syn and log the activity.
for this machine that keeps changing, can you check the usn number after every MDI report ? does it stay the same? if not, it's a proof that something indeed touched this entity (maybe for a brief moment)... and you might not be aware of what does it.
0 Likes
Reply