Forum Discussion
New preview detection: Security principal reconnaissance (LDAP)
Microsoftmboisvert If you look closely at the alert details, even export it excel you will be able to see that the entity involved in this case is the machine account.
Note that this could happen to other alerts as well if the attacker used the machine account.
If you have specific recommendation of what specific statement you are missing from the docs and where, I am adding Deleted to help with that.
EliOfek Thanks for the quick reply. Yes I remember we could do this in the OLD portal. But I think it is not possible in M365 Defender now. In any way, would it be possible to have it IN the alert and no need to do an extra steps to avoid that confusion? In m365 defender, this is what the alert gives us: Timestamp, Base Object, Search Scope, Search Filter, Enumeration Type, Sensitive Type, Queried Groups. Basically, only what was queried, but no context (process, command line...). There is no correlation at all, so it is difficult to investigate accordingly. I found some documentation online, but either the Schema or the Action type in the queries given as examples doesn't exist. Do you have any documentation to help costumers investigating such alerts?
- EliOfekM365 has the option to export to excel as well.
You won't get Process \Command line info from MDI alert as we don't have visibility in the endpoint.
We are not that smart (Yet) to automatically correlate MDE events from the machine (If you have it there).
I think this link might be a good start for alert investigation:
https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts
Deleted Might be able to supply more if there is something.- If machine account is performing expected behavio, how would one go about suppressing the alert by employing exclusion for detection logic? Would excluding cause something of concern to slip through? How do we ensure its being addressed with specific detection to given entity while ensuring others continue to report.
