Share via

Azure virtual desktop session alerts triggered by hostname changes

Heath Smart Dylan 0 Reputation points
2024-07-16T04:55:47.8+00:00

Our Azure virtual desktop keeps raising "pass the ticket" attack alerts when the hostname of our computers changes from <hostname> to <hostname>-<random number>. However, our security logs remain the same inside the SIEM, showing no change in hostname or client IP. As Azure virtual desktop might swap instances, create sessions, or perform backups, I'm assuming this is the reason. Can anyone provide official documentation or a statement to confirm this before we automate a solution?

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,527 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,129 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prrudram-MSFT 24,451 Reputation points
    2024-07-17T07:16:51.0433333+00:00

    Hello @Heath Smart Dylan

    If you're using native AVD, then there shouldn't be a situation that a hostname is changing once deployed at the moment.  

    We don't currently do any host deployments beyond the initial creation of the host. Are you perhaps using any 3rd party tools (Citrix/Nerdio etc) that might be performing host creation/deletion as part of an scaling operation? Alternatively, have you created an automation/routine that does the deployment of new hosts as part of monthly patching for example? 

    Are the host names changing on the VM itself (ie does Windows see the change) or is it the computer name in Azure portal? 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.