Reconnaissance using Directory Services queries

Hi,

I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.

So whenever it's a admin account it triggers the  Reconnaissance using Directory Services queries alert on ATA(Microsoft Advanced Threat Analytics).

For the investigation I tried to use https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide but not sure how to investigate the below?

1. Are such queries supposed to be made from the source computer in question?

What can be the legitimate cases for SAM-R queries ?

Note : This is not related to Lenovo issue with SAMR or WaAppAgent.exe

Thanks,