08-26-2018 05:45 AM
Hi,
Is there any known issues with Win10 stations & f/p alerts on "Reconnaissance using Directory Services queries ?
I know about the CIFS (445/tcp) “Suspicion of identity theft based on abnormal behavior” and Win10 WUDO..
10x, Haim.
08-26-2018 05:51 AM
Hi Haim,
There is no known issue with Win10. What do you experience?
Thanks,
Tali
08-26-2018 06:03 AM
Hi Tali,
We have numerous "Reconnaissance using Directory Services queries" from different Win10 :
08-26-2018 06:05 AM
08-26-2018 06:24 AM
Hi Haim,
There are a lot of machines that generate SAMR queries, therefore we have a learning period to learn the normal behavior. I guess that in a few weeks from now after we will learn it behavior we will stop alert. If you are sure it is FP you can Suppress the alert.
Which devices are they? Lenovo? We know that Lenovo devices might generate SAMR queries and cause FP until we learn it.
Thanks,
Tali
08-26-2018 06:35 AM