DFS Replication Issues Mitigation

An additional parameter, -EventLogsFileWriteFrequency X, in the Indicator of Attack deployment script allows you to address potential issues with slow or broken Distributed File System (DFS) replication that you may experience.

This parameter is optional and Tenable recommends using it only if you are experiencing DFS replication issues or have noticed them since deploying the IoA script. Under normal circumstances, the parameter remains at its default value and you do not need to include it in the command line when running the script.

When to modify the parameter

The value [X] of the parameter -EventLogsFileWriteFrequency X is the frequency at which the Tenable Identity Exposure listener generates an event logs file on non-PDCe domain controllers (DCs). The default and recommended value that the Tenable Identity Exposure listener uses is 15 seconds. However, the customized value does not apply to PDCe DCs and remains at its default 15-second interval to ensure that attack detection capabilities are fully operational. Tenable recommends using this parameter and increasing its value beyond its default 15-second value to up to 300 seconds (5 minutes) only if your infrastructure faces or is prone to DFS replication issues.

Recommendations

Be aware that increasing the event log file write frequency will generate the file less often, thereby increasing the delay in attack detection (for example, if the file generates every 30 seconds instead of the default 15 seconds on non PDCe DCs). Also, increasing the delay augments the size of the generated event logs file within set limits as defined in Technical Changes and Potential Impact. Therefore, use this parameter only as a mitigation strategy and not as a replacement for proper investigation of DFS replication issues.

To apply the parameter:

  1. Configure your domains for IoAs as described in the procedure. For more information, see Install Indicators of Attack.

  2. Open a PowerShell terminal with administrative rights.

  3. Run the script to configure your domain controllers for IoAs and append the -EventLogsFileWriteFrequency X parameter, where [X] is the frequency you want to set for the event logs file frequency.