May 26 2021 09:47 AM
Hi
Today we started receiving the above alert in CAS. Appreciate its preview but the contents of the alert made me sit up !
Description: "ACCOUNTNAME" investigation priority score has increased from 0 to 208 in 13 hours, higher than 99% of other scored users.
Each event that formed part of this alert gave a +8 score on the following action :
Resource access: Device DEVICENAME, property Spns cifs/DEVICENAME.Domain.com
SourcePort: Various
DestinationPort: 88
The account in question being the ATP service account, and the activity on 61 different devices, the source being a DC..
Has anyone else seen this? It looks dodgy as hell this suddenly being logged and not knowing what the activity means. Is this this expected activity for ATP service?
Thanks in advance for your response!
May 30 2021 12:29 AM
Aug 20 2021 01:22 PM
Feb 27 2023 11:19 AM