Microsoft ATA - Auditing permissions Active Directory

%3CLINGO-SUB%20id%3D%22lingo-sub-1169817%22%20slang%3D%22en-US%22%3EMicrosoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169817%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20we%20are%20testing%20the%20Microsoft%20ATA%2C%20but%20we%20have%20some%20points%20with%20doubts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20trying%20to%20see%20audit%20logs%2C%20who%20change%20the%20permissions%20groups%2C%20delete%20user%20and%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20tell%20if%20the%20ATA%20help%20with%20this%20monitoring.%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1169817%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20server%202016%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1170393%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1170393%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F107750%22%20target%3D%22_blank%22%3E%40Diogo%20Vida%3C%2FA%3E%26nbsp%3BNo%2C%20ATA%20has%20visibility%20only%20on%20the%20change%20in%20AD%2C%20but%20not%20who%20did%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1170400%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1170400%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%2C%20thanks%20for%20the%20feedback.%3C%2FP%3E%3CP%3Eit%20wouldn't%20be%20cool%20to%20have%20this%20option%20to%20even%20identify%20who%20made%20any%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173788%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173788%22%20slang%3D%22en-US%22%3EHello%20%40Eli%2C%3CBR%20%2F%3EFor%20us%2C%20this%20type%20of%20analysis%20and%20auditing%20is%20also%20important%20across%20the%20Active%20Directory%20environment.%3CBR%20%2F%3EIt%C2%B4s%20possible%20report%20this%20feedback%20to%20Microsoft%20ATA%20Developers.%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173791%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173791%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EFor%20us%2C%20this%20type%20of%20analysis%20and%20auditing%20is%20also%20important%20across%20the%20Active%20Directory%20environment.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EIt%C2%B4s%20possible%20report%20this%20feedback%20to%20Microsoft%20ATA%20Developers.%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EThank%20you.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1174683%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1174683%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F107750%22%20target%3D%22_blank%22%3E%40Diogo%20Vida%3C%2FA%3E%26nbsp%3B%2C%20You%20just%20did%20%3A)%3C%2Fimg%3E%20I%20am%20in%20the%20ATA%20Engineering%20team.%3C%2FP%3E%0A%3CP%3EWe%20get%20this%20request%20often%2C%20the%20problem%20is%20that%20AD%20does%20not%20expose%20this%20info%20in%20a%20reasonable%20manner.%3C%2FP%3E%0A%3CP%3E(Or%20at%20least%20we%20haven't%20figured%20a%20way%20just%20yet).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1177244%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1177244%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EGood%20morning%2C%20thanks%20for%20the%20information%2C%20just%20checked%20the%20tool%20and%20it%20is%20possible%20to%20change%20changes%20to%20groups%2C%20permissions%2C%20users%20(enabled%20%2F%20disabled)%3C%2FP%3E%3CP%3Esounds%20great%20to%20see%20the%20logs%2Faudit.!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1184242%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1184242%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20just%20want%20confirm%2C%20sometimes%20audit%20who%20edit%20the%20group%20and%20other%20time%20not%2C%20Microsoft%20ATA%20planning%20audit%20activities%20in%20Active%20Directory%20environment%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1185497%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Auditing%20permissions%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1185497%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F107750%22%20target%3D%22_blank%22%3E%40Diogo%20Vida%3C%2FA%3E%26nbsp%3B%2C%20Currently%20we%20only%20monitor%20group%20modifications%20for%20group%20determined%20automatically%20as%20sensitive%2C%20or%20manually%20tagged%20as%20sensitive%20by%20the%20customer.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnyway%2C%20I%20am%20not%20familiar%20with%20a%20plan%20to%20do%20full%20AD%20auditing%20at%20any%20point.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello, we are testing the Microsoft ATA, but we have some points with doubts.

 

We trying to see audit logs, who change the permissions groups, delete user and etc.

 

Could you tell if the ATA help with this monitoring.?

 

Thank you

8 Replies
Highlighted

@Diogo Vida No, ATA has visibility only on the change in AD, but not who did it.

Highlighted

@Eli Ofek, thanks for the feedback.

it wouldn't be cool to have this option to even identify who made any changes.

 

 

Thank you.

Highlighted
Hello @Eli,
For us, this type of analysis and auditing is also important across the Active Directory environment.
It´s possible report this feedback to Microsoft ATA Developers.?

Thank you.
Highlighted

 

Hello @Eli Ofek 
For us, this type of analysis and auditing is also important across the Active Directory environment.
It´s possible report this feedback to Microsoft ATA Developers.?

Thank you.

Highlighted

@Diogo Vida , You just did :) I am in the ATA Engineering team.

We get this request often, the problem is that AD does not expose this info in a reasonable manner.

(Or at least we haven't figured a way just yet).

 

Highlighted

@Eli Ofek ,

Good morning, thanks for the information, just checked the tool and it is possible to change changes to groups, permissions, users (enabled / disabled)

sounds great to see the logs/audit.!

Highlighted

Hello @Eli Ofek

I just want confirm, sometimes audit who edit the group and other time not, Microsoft ATA planning audit activities in Active Directory environment?

 

Thank you.

 

Highlighted

@Diogo Vida , Currently we only monitor group modifications for group determined automatically as sensitive, or manually tagged as sensitive by the customer. 

Anyway, I am not familiar with a plan to do full AD auditing at any point.