Issue with Reuse of SubjectLogonId & TargetLogonId in "Non Domain Controller Active Directory Replication"

[SWIB-ChristopherS]

Describe the bug
The "Non Domain Controller Active Directory Replication" Analytic Rule (AR) queries data over the last 7 days by default. For busy DCs, SubjectLogonId and TargetLogonId may get reused. When this occurs, it can result in erroneous IPs being added to the result because the join is only comparing the SubjectLogonId and TargetLogonId.

To Reproduce
Run the following query to observe reuse of TargetLogonId.

SecurityEvent
| where EventID == 4624 and LogonType == 3 and AccountType != 'Machine' and TargetLogonId != "0x3e7"
| summarize FirstUse = min(TimeGenerated), LastUse = max(TimeGenerated), Count = count() by TargetLogonId
| where LastUse - FirstUse >= 1d
| order by LastUse desc

Then run the following to observe different IP Addresses with the same TargetLogonId.

SecurityEvent
| where EventID == 4624 and LogonType == 3
| where AccountType != 'Machine'
| where TargetLogonId == "0xf107948f"
| project-reorder TimeGenerated, Account, Computer, IpAddress

Expected behavior
This AR "detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS)." Therefore, when this is detected, only legitimate Source IPs associated with traffic should be returned.

Additional context
Populating the DCServersList variable can help eliminate this issue. However, the EventIDs 4624 and 4662 should both occur on the same host. Therefore, modifying the join to also match the Computer would help ensure the LogonIds are associated with the same Computer. This could be further improved by also joining on Account but it would be necessary to ensure the format is the same between both Event IDs.

| join kind=leftouter
    (
    SecurityEvent
    | where Computer in (DCServersList)
    | where EventID == 4624 and LogonType == 3
    | where AccountType != 'Machine'
    | project TargetLogonId, IpAddress, Computer, Account
    )
    on $left.SubjectLogonId == $right.TargetLogonId, Computer

[v-tsawant]

Hi @SWIB-ChristopherS , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-kasghosh]

Hey @SWIB-ChristopherS ,

Apologies for the delayed response. We've done an initial analysis, but we need the logs to continue with the investigation. Please send the logs by email so we can move forward with the analysis. Thanks!

Email: v-kasghosh@microsoft.com

[SWIB-ChristopherS]

Hi @v-kasghosh , I just emailed you sample logs.

[v-kasghosh]

Hey @SWIB-ChristopherS ,

I'm sharing the updated analytics query below:

  // Enter a reference list of hostnames for your DC servers
  //let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
  SecurityEvent
  //| where Computer in (DCServersList)
  | where EventID == 4662 and ObjectServer == 'WMI'
  | where AccountType == 'Machine'
  //| project Properties
  | where Properties has '-' //DS-Replication-Get-Changes
      or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All
      or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set
  | project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer
  | join kind=leftouter
  (
      SecurityEvent
      //| where Computer in (DCServersList)
      | where EventID == 4624 and LogonType == 5
      | where AccountType == 'Machine'
      | project TargetLogonId, IpAddress, Computer
  )
  on $left.SubjectLogonId == $right.TargetLogonId and $left.Computer == $right.Computer
  | project-reorder TimeGenerated, Computer, Account, IpAddress
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])

Could you please review it and let us know if it provides the expected results?

Thanks!

[SWIB-ChristopherS]

Hi @v-kasghosh , there are quite a few changes in this logic, for example:

• Original AR: ObjectServer == 'DS' / Your query: ObjectServer == 'WMI'
• Original AR: AccountType != 'Machine' / Your query: AccountType == 'Machine'
• Original AR: LogonType == 3 / Your query: LogonType == 5
  Original AR: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Analytic%20Rules/NonDCActiveDirectoryReplication.yaml

There may be other significant logic changes as well but those are just the ones that caught my eye. Are they intended? If so, can you share the rationale for the changes?

As for the results of your query, the only results it returns are associated with a domain controller, which does not seem intended.

[v-kasghosh]

Hey @SWIB-ChristopherS ,

Apologies for the earlier confusion — I had accidentally shared an incorrect test version of the query.

The updated query below aligns with the original Non-DC Active Directory Replication analytic rule.
The only intentional logic difference between the two versions is the join condition used to correlate EventID 4662 and EventID 4624 events.

on $left.SubjectLogonId == $right.TargetLogonId 
   and $left.Computer == $right.Computer

This correlation:

• Uses both LogonId and Computer for matching
• Ensures the logon event occurred on the same domain controller where the replication activity was logged
• Reduces false positives caused by identical LogonIds across different systems
• Provides a more accurate and safer correlation

All other aspects of the query logic remain unchanged.

Updated query:

// Enter a reference list of hostnames for your DC servers
//let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
SecurityEvent
//| where Computer in (DCServersList)
| where EventID == 4662 and ObjectServer == 'DS'
| where AccountType != 'Machine'
| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' // DS-Replication-Get-Changes
    or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' // DS-Replication-Get-Changes-All
    or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' // DS-Replication-Get-Changes-In-Filtered-Set
| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer
| join kind=leftouter
(
    SecurityEvent
    //| where Computer in (DCServersList)
    | where EventID == 4624 and LogonType == 3
    | where AccountType != 'Machine'
    | project TargetLogonId, IpAddress, Computer
)
on $left.SubjectLogonId == $right.TargetLogonId and $left.Computer == $right.Computer
| project-reorder TimeGenerated, Computer, Account, IpAddress
| extend HostName = tostring(split(Computer, ".")[0]),
         DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "\\")[0]),
         AccountNTDomain = tostring(split(Account, "\\")[1])

Please let me know if the results now look as expected.

Thanks!

[SWIB-ChristopherS]

Hi @v-kasghosh , yes, that looks right to me and produces expected results.

[v-kasghosh]

Hey @SWIB-ChristopherS ,

Could you please share a screenshot with us?

Thanks!