Resource access by Azure ATP Directory Services user account

%3CLINGO-SUB%20id%3D%22lingo-sub-1048738%22%20slang%3D%22en-US%22%3EResource%20access%20by%20Azure%20ATP%20Directory%20Services%20user%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1048738%22%20slang%3D%22en-US%22%3E%3CP%3EToday%20I%20noticed%20a%20high%20investigation%20priority%20score%20in%20Cloud%20App%20Security%20for%20the%20AD%20user%20account%20configured%20under%20%22Directory%20Services%22%20in%20Azure%20ATP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReviewing%20that%20user's%20timeline%20in%20Azure%20ATP%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20time%20we%20deployed%20Azure%20ATP%20up%20to%204%20months%20ago%3A%3C%2FP%3E%3CP%3E%22Credentials%20validated%22%20events%20for%20DCs%20with%20sensors%20installed%2C%20between%20200-100%20a%20day.%3C%2FP%3E%3CP%3ELooks%20like%20normal%20activity%20to%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20August%205th%20up%20until%202%20days%20ago%3A%3C%2FP%3E%3CP%3EBarely%20any%20events%2C%20one%20credential%20validation%2C%20queries%20from%202%20random%20workstations.%3C%2FP%3E%3CP%3ESeems%20very%20strange%20that%20the%20credential%20validation%20events%20from%20sensors%20weren't%20happening%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDecember%203rd%3A%3C%2FP%3E%3CP%3EAccessed%2015%20resources%20(mix%20of%20workstations%20at%20servers)%20from%20one%20DC%20where%20the%20sensor%20is%20installed%20-%20the%20DC%20is%20in%20a%20remote%20site%20(Azure%20site%20containing%20just%20a%20few%20servers)%3C%2FP%3E%3CP%3EStrange%20-%20that's%20the%20first%20recorded%20instance%20of%20resource%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDecember%204th%3A%3C%2FP%3E%3CP%3EAccessed%2039%20resources%20(nearly%20all%20workstations)%20from%20another%20DC%2C%20this%20time%20located%20in%20the%20site%20where%20servers%2Fworkstations%20are%20located.%3C%2FP%3E%3CP%3EMakes%20more%20sense%20than%20the%20last%20one%2C%20but%20still%20strange.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnsure%20if%20there%20have%20been%20changes%20to%20how%20the%20sensor%20behaves%20(regarding%20resource%20access)%20or%20if%20there's%20an%20error%20in%20our%20site.%26nbsp%3B%20Through%20out%20the%20whole%20period%20would%20occasionally%20get%20%22Sensor%20has%20not%20communicated%22%20and%20%22reverse%20DNS%20lookup%20failure%22%20health%20alerts%20from%20ATP%2C%20but%20none%20of%20those%20couldn't%20be%20explained.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELocal%20error%20logs%20for%20the%20sensors%20don't%20seem%20to%20go%20back%20far%20enough%20for%20me%20to%20correlate%20when%20these%20things%20started%20and%20stopped%2C%20see%20a%20fair%20few%20occurrences%20of%20these%20events%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E2019-12-05%2001%3A38%3A40.0776%20Error%20Parser%20Incomplete%20authentication%20activity%20%5BAuthenticationActivity%3DType%3DKerberosAp%20StartTime%3D12%2F05%2F2019%2001%3A38%3A40%20EndTime%3D01%2F01%2F0001%2000%3A00%3A00%20SourceIpAddress%3D10.101.101.186%20SourcePort%3D53630%20DestinationIpAddress%3D10.30.10.33%20DestinationPort%3D445%20TransportProtocol%3DTcp%20Type%3DMicrosoft.Tri.Common.KerberosAp%20SourceAccountName%3D%20ResourceName%3Dcifs%2Fthisdc.domain.local%2Fdomain.local%20Error%3DSuccess%20Options%3DMutualRequired%5D%3CBR%20%2F%3E2019-11-27%2007%3A55%3A42.0851%20Error%20DirectoryServicesClient%2B%26lt%3BSearchInternalAsync%26gt%3Bd__27%20Microsoft.Tri.Infrastructure.ExtendedException%3A%20LDAP%20search%20failed%20%5BDomainControllerDnsName%3Dthisdc.domain.local%20IsGlobalCatalog%3DFalse%20DistinguishedName%3D%20Scope%3DBase%20Filter%3D%20AttributeCount%3D16%5D%20---%26gt%3B%20System.DirectoryServices.Protocols.DirectoryOperationException%3A%20The%20server%20is%20unavailable.%3C%2FPRE%3E%3CP%3EIs%20anyone%20able%20to%20share%20with%20me%20what%20authentication%20patterns%20in%20ATP%20they're%20seeing%20for%20the%20Azure%20ATP%20directory%20user%2C%20or%20suggest%20where%20I%20might%20look%20to%20find%20out%20what's%20responsible%20for%20the%20changes%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1055178%22%20slang%3D%22en-US%22%3ERe%3A%20Resource%20access%20by%20Azure%20ATP%20Directory%20Services%20user%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1055178%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F478334%22%20target%3D%22_blank%22%3E%40dcrn1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Directory%20service%20account%20is%20used%20for%20a%20number%20of%20operations%20so%20you%20shouldn't%20expect%20regular%20access%20patterns%2C%20however%2C%20if%20you%20are%20seeing%20alerts%2Fhigh%20investigation%20priority%20coming%20from%20this%20account%2C%20that%20need%20to%20be%20troubleshooted%2C%20can%20you%20please%20share%20some%20screenshots%20with%20us%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071169%22%20slang%3D%22en-US%22%3ERe%3A%20Resource%20access%20by%20Azure%20ATP%20Directory%20Services%20user%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071169%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20there%20has%20been%20a%20very%20distinct%20pattern%2C%20as%20I%20scroll%20to%20try%20and%20reach%20the%20oldest%20event%20for%20the%20account%2C%20there%20were%20a%20very%20high%20volume%20of%20credential%20validation%20events%20on%20domain%20controllers%20on%20March%204th%2C%20which%20was%20the%20day%20the%20account%20was%20seen%2Fcreated%2C%20so%20likely%20the%20day%20I%20first%20set%20up%20Azure%20ATP.%26nbsp%3B%20The%20last%20of%20the%20regular%20credential%20validation%20events%20was%20August%204th%2C%206%20months%20later.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20exactly%20why%20the%20investigation%20priority%20was%20high%20for%20the%20days%20I%20noticed%2C%20as%20it%20was%20the%20first%20time%20the%20account%20have%20ever%20accessed%20workstation%20resources%20on%20our%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20also%20strange%20is%20there%20has%20been%20no%20reported%20activity%20for%20the%20account%20from%20Dec%204th%20to%20today.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071575%22%20slang%3D%22en-US%22%3ERe%3A%20Resource%20access%20by%20Azure%20ATP%20Directory%20Services%20user%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071575%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F478334%22%20target%3D%22_blank%22%3E%40dcrn1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20when%20first%20deployed%2C%20it%20is%20expected%20to%20see%20more%20activity%20coming%20from%20that%20account%3C%2FP%3E%0A%3CP%3EAre%20you%20observing%20any%20health%20alerts%20in%20the%20Azure%20ATP%20console%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Today I noticed a high investigation priority score in Cloud App Security for the AD user account configured under "Directory Services" in Azure ATP.

 

Reviewing that user's timeline in Azure ATP:

 

From the time we deployed Azure ATP up to 4 months ago:

"Credentials validated" events for DCs with sensors installed, between 200-100 a day.

Looks like normal activity to me.

 

From August 5th up until 2 days ago:

Barely any events, one credential validation, queries from 2 random workstations.

Seems very strange that the credential validation events from sensors weren't happening?

 

December 3rd:

Accessed 15 resources (mix of workstations at servers) from one DC where the sensor is installed - the DC is in a remote site (Azure site containing just a few servers)

Strange - that's the first recorded instance of resource access.

 

December 4th:

Accessed 39 resources (nearly all workstations) from another DC, this time located in the site where servers/workstations are located.

Makes more sense than the last one, but still strange.

 

Unsure if there have been changes to how the sensor behaves (regarding resource access) or if there's an error in our site.  Through out the whole period would occasionally get "Sensor has not communicated" and "reverse DNS lookup failure" health alerts from ATP, but none of those couldn't be explained.

 

Local error logs for the sensors don't seem to go back far enough for me to correlate when these things started and stopped, see a fair few occurrences of these events:

 

2019-12-05 01:38:40.0776 Error Parser Incomplete authentication activity [AuthenticationActivity=Type=KerberosAp StartTime=12/05/2019 01:38:40 EndTime=01/01/0001 00:00:00 SourceIpAddress=10.101.101.186 SourcePort=53630 DestinationIpAddress=10.30.10.33 DestinationPort=445 TransportProtocol=Tcp Type=Microsoft.Tri.Common.KerberosAp SourceAccountName= ResourceName=cifs/thisdc.domain.local/domain.local Error=Success Options=MutualRequired]
2019-11-27 07:55:42.0851 Error DirectoryServicesClient+<SearchInternalAsync>d__27 Microsoft.Tri.Infrastructure.ExtendedException: LDAP search failed [DomainControllerDnsName=thisdc.domain.local IsGlobalCatalog=False DistinguishedName= Scope=Base Filter= AttributeCount=16] ---> System.DirectoryServices.Protocols.DirectoryOperationException: The server is unavailable.

Is anyone able to share with me what authentication patterns in ATP they're seeing for the Azure ATP directory user, or suggest where I might look to find out what's responsible for the changes? 

3 Replies
Highlighted

@dcrn1 

The Directory service account is used for a number of operations so you shouldn't expect regular access patterns, however, if you are seeing alerts/high investigation priority coming from this account, that need to be troubleshooted, can you please share some screenshots with us?

 

Highlighted

@Or Tsemah 

But there has been a very distinct pattern, as I scroll to try and reach the oldest event for the account, there were a very high volume of credential validation events on domain controllers on March 4th, which was the day the account was seen/created, so likely the day I first set up Azure ATP.  The last of the regular credential validation events was August 4th, 6 months later.

 

I understand exactly why the investigation priority was high for the days I noticed, as it was the first time the account have ever accessed workstation resources on our domain.

 

What is also strange is there has been no reported activity for the account from Dec 4th to today.

 

 

Highlighted

@dcrn1 

Yes, when first deployed, it is expected to see more activity coming from that account

Are you observing any health alerts in the Azure ATP console?