Today I have received a High severity alert for Suspected DCSync attack. The origin of this attack was a workstation that ATP tell us that has it's right private IP and a secondary IP, the one of our DC that already has the sensor installed. How it can be possible? I've investigated on DNS, on AV client logs, and other auditing tools and everything looks ok. No evidences for any risk on this computer or secondary IP address assigned to this workstation. How it can be possible?