Forum Discussion
ECuadra
Nov 28, 2019Copper Contributor
Explanation about this Azure ATP alert on Domain Controller
Hello, I have checked this alert in Azure ATP timeline. For privacy, I have changed the domain and DC names: non-existing account MYDOMAIN\SYSTEM attempted to logon | using Ntlm | against DC01013 ...
Tali Ash
Microsoft
Dec 01, 2019Hi ECuadra ,
I will suggest to turn on 8004 events on your domain controllers, so you will get the full information about the NTLM authentications. Once you will enable this event Azure ATP will show you what is the server the account is trying to access.
Thanks,
Tali