Nov 28 2017 09:03 AM
I've found out that Azure ATP has some problems recognizing aadconnect activities.
Is it happening to you, too?
Nov 28 2017 11:50 AM
SolutionThis is a known false positive for this detection. You can find more information about all the alerts (including what night generate a false positive) in the Suspicious Activity Guide (this is the ATA version but it's relevant for Azure ATP alerts too): https://aka.ms/atasaguide
For known AAD Connect servers, you can use the "Close and Exclude" option to stop further alerts.
Nov 28 2017 11:50 AM
SolutionThis is a known false positive for this detection. You can find more information about all the alerts (including what night generate a false positive) in the Suspicious Activity Guide (this is the ATA version but it's relevant for Azure ATP alerts too): https://aka.ms/atasaguide
For known AAD Connect servers, you can use the "Close and Exclude" option to stop further alerts.