Forum Discussion

Christo De Lange's avatar
Christo De Lange
Brass Contributor
May 26, 2021

Investigation priority score increase (Preview) alert

Hi 

 

Today we started receiving the above alert in CAS. Appreciate its preview but the contents of the alert made me sit up !  

 

Description: "ACCOUNTNAMEinvestigation priority score has increased from 0 to 208 in 13 hours, higher than 99% of other scored users. :suprised:

 

Each event that formed part of this alert gave a +8 score on the following action :

Resource access: Device DEVICENAME, property Spns cifs/DEVICENAME.Domain.com

SourcePort: Various

DestinationPort: 88

 

The account in question being the ATP service account, and the activity on 61 different devices, the source being a DC.. :sad:

Has anyone else seen this? It looks dodgy as hell this suddenly being logged and not knowing what the activity means. Is this this expected activity for ATP service? 

 

Thanks in advance for your response!

Cloud App Security

3 Replies

  • Joe Stocker's avatar
    Joe Stocker
    Bronze Contributor
    May 30, 2021
    any updates? I would be curious what you concluded here. Probably warrants a support case if you are still stuck.
    • Mario Krukow's avatar
      Mario Krukow
      Copper Contributor
      Aug 20, 2021
      are there any updates, we have this with a customer of ours?
      We cannot understand what is happening in the background.
      Does anyone have an explanation for this?
      • JG-Burke's avatar
        JG-Burke
        Brass Contributor
        Feb 27, 2023
        Did you find a resolution for your situation?

Resources