Hunt for threats using events captured by Azure ATP on your domain controller
Published Aug 19 2020 01:03 AM 7,190 Views


We’re thrilled to share that you can now hunt for threats using events on your domain controller with advanced hunting in Microsoft Threat Protection.


The new IdentityDirectoryEvents table—available in public preview—incorporates data from the Azure Advanced Threat Protection (Azure ATP) sensor, including various identity-related activities, such as account password changes or remote creation of scheduled tasks on the domain controller.




In general, the table captures three categories of events on your domain controller:

  • Remote code execution
  • Changes to attributes of Active Directory objects, including groups, users, and devices
  • Other activities performed against the directory, such as replication or SMB session enumeration

You can get the full list of supported events or action types in the in-portal reference.




Here are some samples queries you can use:


//Track domain controller replication
| where ActionType == "Directory Services replication"
| limit 100

Run query


//Track service creation activities on domain controllers
| where ActionType == "Service creation"
| extend ServiceName = AdditionalFields["ServiceName"]
| extend ServiceCommand = AdditionalFields["ServiceCommand"]
| project Timestamp, ActionType, Protocol, DC = TargetDeviceName, ServiceName, ServiceCommand, AccountDisplayName, AccountSid, AdditionalFields
| limit 100

Run query


//Find the latest password change event for a specific account
let userAccount = '<insert your user account>';
let deviceAccount = '<insert your device account>';
| where ActionType == "Account Password changed"
| where TargetAccountDisplayName == userAccount
//If you are looking for last password change of a device account comment the above row and remove comment from the below row
//| where TargetDeviceName == deviceAccount
| summarize LastPasswordChangeTime = max(Timestamp) by TargetAccountDisplayName // or change to TargetDeviceName for device account

Run query



As always, please let us know what you think and how we can tweak this enhancement further!


To learn more about advanced hunting in Microsoft Threat Protection and these new enhancements, go to the following links:


Version history
Last update:
‎Aug 19 2020 01:03 AM
Updated by: