Forum Discussion
1.7.575.57477 lots of "Reconnaissance using directory service enumeration"
Hi,
As you mentioned this is a known issue with ATA 1.7.
In some cases this suspicious activity can be caused by legitimate security solutions running on endpoints and servers. With ATA 1.7 Update 1 we've introduced the ability to disable this detection in order to stop generating these alerts. However it requires an additional manual step after deploying ATA 1.7 Update 1, which is decsribed at https://support.microsoft.com/en-us/help/3191777/description-of-update-1-for-microsoft-advanced-threat-analytics-v1.7We're further adding clustering and other elemets to the detection logic in the upcoming release of ATA to improve the detection itself and automatically address this scenario.
Hope this helps!
Michael.
Hi,
As you mentioned this is a known issue with ATA 1.7.
In some cases this suspicious activity can be caused by legitimate security solutions running on endpoints and servers. With ATA 1.7 Update 1 we've introduced the ability to disable this detection in order to stop generating these alerts. However it requires an additional manual step after deploying ATA 1.7 Update 1, which is decsribed at https://support.microsoft.com/en-us/help/3191777/description-of-update-1-for-microsoft-advanced-threat-analytics-v1.7
We're further adding clustering and other elemets to the detection logic in the upcoming release of ATA to improve the detection itself and automatically address this scenario.
Hope this helps!
Michael.
Hi Michael,
Many thanks, i had overlooked the actual activity required to disable this detection.
From a technical standpoint I am surprised that machines enumerate all AD objects quiet so often, or at all, i wouldnt have thought they would have a need to know of anything else in Active Directory until they need to interact with the object.
Kind regards
Pete
So were we. I do suggest you look into the solution generating those queries (more from an operational perspective).