Security principal reconnaissance (LDAP) (external ID 2038)

Question

If downloading the details for this type of alert, shouldn't there be a list ofsuspected users attached within the download?

peterrising · Answer

edhealea&nbsp;&nbsp;How long have you had Azure ATP in place? &nbsp;Are you already getting these type of alerts, or is it still in its learning period as per -&nbsp;https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-reconnaissance-alerts#security-principal-reconnaissance-ldap-external-id-2038&nbsp;

edhealea · Answer

It has been install for over 6 months. We have had one of these alerts in the past week which prompted the question from by CSOC team. They were expecting to see users in the alert.&nbsp;PeterRising&nbsp;

peterrising · Answer

edhealea&nbsp;&nbsp;Are you able to share a screen shot of what is contained in the alert?

edhealea · Answer

Which part of the alert do you want? The download details or actual alert in the console?

or tsemah · Answer

We are tracking a potential issue that should be addressed in the latest update to the service which is currently being deployed, please check again once you have version 2.113

Forum Discussion

Security principal reconnaissance (LDAP) (external ID 2038)

9 Replies

Resources