Defender for Identity - Directory Services Advanced Auditing is not enabled

OwlTecAB 40 Reputation points
2023-09-27T20:12:12.2233333+00:00

Hi Everyone,

We have followed the following guide from Microsoft in regards to enabling "advanced auditing" for Defender for Identity:

Screenshot 2023-09-27 at 1.52.25 PM

Any ideas?

I am certain have configured our GPO properly (but you never know):

Screenshot 2023-09-27 at 1.34.51 PM

Screenshot 2023-09-27 at 1.35.28 PM

Screenshot 2023-09-27 at 1.35.41 PM

Screenshot 2023-09-27 at 1.35.54 PM

Screenshot 2023-09-27 at 1.36.44 PM

Screenshot 2023-09-27 at 1.46.40 PM

Here are the results of running "auditpol /get /category:*" on one of the servers that this policy has been applied to:

Screenshot 2023-09-27 at 2.13.04 PM

Screenshot 2023-09-27 at 2.13.14 PM

As always, thanks for the help!

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,493 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,632 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
210 questions
{count} vote

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,386 Reputation points
    2023-09-28T11:22:10.5666667+00:00

    Hello

    Thank you for your question and reaching out.

    Please check below steps and make sure you have checked all relevant event log entries to be enabled for GPO.

    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-enabling-advanced-security-audit-policy-via/ba-p/282452

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. OwlTecAB 40 Reputation points
    2023-09-28T13:19:39.1166667+00:00

    Thanks for the link, however I have just confirmed that the relevant logs are on found on my DCs (that was applied via my GPO):Screenshot 2023-09-28 at 7.17.26 AM

    Screenshot 2023-09-28 at 7.14.05 AM

    Screenshot 2023-09-28 at 7.15.28 AM

    What I just did, was push the policies again from the "Default Domain Controllers Policy" GPO instead of the separate one I had created to see if that fixes the issue.

    Edit: Pushing the polices to "Default Domain Controllers Policy" GPO, instead of a separate GPO, is what fixed it. I guess this is a super common bug with enabling Advanced Audit that has been resolved.


  3. OwlTecAB 40 Reputation points
    2023-09-28T13:23:33.24+00:00

    Duplicate.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.