We are receiving these alerts for a few of our laptops querying domain admins and another sensitive security group both of which are in the local admins group on the laptop , oddly when I check other laptops are querying these groups but no alerts are generated for them. I am seeing both LDAP and SAMR queries for those groups. It seems that the ones that are triggering the alert are laptops used by users who tend to work remotely and not connected to the network as much as the others who are not alerting. Also, it seems that it happens every 30 days and is not constantly happening. I would expect that with recon attack they would be trying to query all sensitive groups which is not happening, no queries to enterprise admins, backup operators etc.. Would a domain-joined laptop of a normal user who doesn't perform any IT task query these 2 groups as part of any normal process on the laptop that would occur once every 30 days? Is there a misconfiguration that could cause this? Any insights would be greatly appreciated as I have checked the laptops I have been alerted for and I have not found any malicious tools or malware that would cause this. I really don't know what other steps I should take to determine the cause of this.
Microsoft