Golden Ticket Event from Azure ATP, going to Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1399842%22%20slang%3D%22en-US%22%3EGolden%20Ticket%20Event%20from%20Azure%20ATP%2C%20going%20to%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1399842%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20connected%20Azure%20Sentinel%20with%20Azure%20ATP%20(preview).%26nbsp%3B%3CBR%20%2F%3EFor%20test%20purposes%2C%20I%20did%20a%20golden%20ticket%20attack%20on%20my%20test%20environment%2C%20to%20see%20if%20this%20attack%20can%20be%20seen%20on%20Azure%20Sentinel.%20The%20event%20%22Suspected%20Golden%20Ticket%20usage%22%20ID%202027%2C%20was%20successfully%20displayed%20in%20Azure%20ATP%20Portal%2C%20but%20there%20isn't%20this%20event%20in%20my%20Azure%20Sentinel.%20However%2C%20when%20I%20used%20PsExec%20tool%2C%20the%20event%20%22Remote%20code%20execution%20attempt'%20ID%202019%2C%20was%20successfully%20displayed%20in%20Azure%20ATP%20Portal%20AND%20Azure%20Sentinel.%20So%20I%20don't%20think%20that%20my%20problem%20is%20the%20configuration%20of%20the%20data%20connector%20between%20Azure%20Sentinel%20and%20Azure%20ATP.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20reason%20for%20this%20event%20not%20to%20be%20displayed%20in%20Sentinel%20%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20provided%20some%20screenshots%20just%20in%20case.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1455691%22%20slang%3D%22en-US%22%3ERe%3A%20Golden%20Ticket%20Event%20from%20Azure%20ATP%2C%20going%20to%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1455691%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F602895%22%20target%3D%22_blank%22%3E%40emmanuelnguyen%3C%2FA%3E%26nbsp%3B%3A%20I%20think%20this%20issue%20is%20best%20suited%20for%20a%20support%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, 

I have connected Azure Sentinel with Azure ATP (preview). 
For test purposes, I did a golden ticket attack on my test environment, to see if this attack can be seen on Azure Sentinel. The event "Suspected Golden Ticket usage" ID 2027, was successfully displayed in Azure ATP Portal, but there isn't this event in my Azure Sentinel. However, when I used PsExec tool, the event "Remote code execution attempt' ID 2019, was successfully displayed in Azure ATP Portal AND Azure Sentinel. So I don't think that my problem is the configuration of the data connector between Azure Sentinel and Azure ATP. 

Is there a reason for this event not to be displayed in Sentinel ? 

I have provided some screenshots just in case. 

1 Reply

@emmanuelnguyen : I think this issue is best suited for a support case.