Aug 26 2018
- last edited on
Nov 30 2021
Is there any known issues with Win10 stations & f/p alerts on "Reconnaissance using Directory Services queries ?
I know about the CIFS (445/tcp) “Suspicion of identity theft based on abnormal behavior” and Win10 WUDO..
Aug 26 2018 06:03 AM
We have numerous "Reconnaissance using Directory Services queries" from different Win10 :
Aug 26 2018 06:05 AM
Aug 26 2018 06:24 AM
There are a lot of machines that generate SAMR queries, therefore we have a learning period to learn the normal behavior. I guess that in a few weeks from now after we will learn it behavior we will stop alert. If you are sure it is FP you can Suppress the alert.
Which devices are they? Lenovo? We know that Lenovo devices might generate SAMR queries and cause FP until we learn it.
Aug 26 2018 06:35 AM