MCAS Activity log: "back and forth" entries on changed properties

Copper Contributor

Hi everyone,

 

In MCAS Activity log we have many "back and forth" entries regarding the property "Computer Operating System" & "AccountSupportedEncryptionTypes" changed from N/A to a value and 3 minutes later the property changed back from a value to N/A.

 

Examples:

5/15/21 3:20 AM

propertyComputer Operating System device AWxxxxx001 from property Windows Server 2019 Datacenter, 10.0 (17763) to property N/A

5/15/21 3:23 AM

property: Computer Operating System device AWxxxxx001 from property N/A to property Windows Server 2019 Datacenter, 10.0 (17763)

 

5/15/21 3:20 AM

Set propertyAccountSupportedEncryptionTypes device AWxxxxx001 from property Rc4,Aes128,Aes256 to property N/A

5/15/21 3:23 AM

Set propertyAccountSupportedEncryptionTypes device AWxxxxx001 from property N/A to property Rc4,Aes128,Aes256

5/15/21 3:24 AM

Set property: AccountSupportedEncryptionTypes device AWxxxxx001 from property Rc4,Aes128,Aes256 to property N/A


I suppose these property changes are detected by MDI on the AD computer attribute object.

 

We have many similar cases, in this example the device is a Domain Controller, created one year ago.
We do not touch the attributes msDS-SupportedEncryptionTypes, operatingSystem or operatingSystemVersion in AD.

 

Any idea who detected these property changes (MDI?) and why?


Best regards,
Danny

MDI_MCAS_Activity_log_set_property_back_and_forth.jpg

 

MDI_MCAS_Activity_log_set_property_back_and_forth_2.jpg

1 Reply
Those are detected by MDI. MDI follows the usn changes on those entities, and when the usn # changes, it checks what has changed from the previous syn and log the activity.
for this machine that keeps changing, can you check the usn number after every MDI report ? does it stay the same? if not, it's a proof that something indeed touched this entity (maybe for a brief moment)... and you might not be aware of what does it.