Forum Discussion

Copper Contributor

May 01, 2020

Security principal reconnaissance (LDAP) (external ID 2038)

If downloading the details for this type of alert, shouldn't there be a list ofsuspected users attached within the download?

MVP

May 02, 2020

How long have you had Azure ATP in place? Are you already getting these type of alerts, or is it still in its learning period as per - https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-reconnaissance-alerts#security-principal-reconnaissance-ldap-external-id-2038

edhealea
Copper Contributor
May 04, 2020
It has been install for over 6 months. We have had one of these alerts in the past week which prompted the question from by CSOC team. They were expecting to see users in the alert. PeterRising
- PeterRising
  MVP
  May 04, 2020
  edhealea
  
  Are you able to share a screen shot of what is contained in the alert?
  - edhealea
    Copper Contributor
    May 05, 2020
    Which part of the alert do you want? The download details or actual alert in the console?