Forum Discussion
Vague ATA alert
Does anyone have any insight on how I should approach this alert? Random VM attempted remote execution toward a DC but absolutely 0 info on what occurred to trigger this alert, but something mu...
EliOfek
Microsoft
MicrosoftMDI will never give you process information as it's not monitoring the endpoint, just the DC. The Actor identity is not always visible in the protocol (When it is, MDI will give you the info). Sometimes it might even be the machine account...
In addition, for remote execution, some of the protocols use encryption, so we only see that something happened, and not what exactly, which will cause us to alert in "best effort mode".
Your best option is if you have MDE on this endpoint, as it does monitor it and might give you more info about which process might have triggered this around this time.
In addition, for remote execution, some of the protocols use encryption, so we only see that something happened, and not what exactly, which will cause us to alert in "best effort mode".
Your best option is if you have MDE on this endpoint, as it does monitor it and might give you more info about which process might have triggered this around this time.