Low information alert, Remote code execution attempt

Contributor

Greetings, I have a customer that is running Defender for Identity and this alert keeps showing up in their Azure Sentinel instance.

I thought it might have been a problem with information being lost on the way from Defender for Identity->Cloud App Security-> Sentinel, but from the Defender for Identity portal it is just as inexpressive.

stianhoydal_0-1633073406805.png

Is there a way to get more information sent with the alert?

2 Replies
Probably not much more, you can export the alert to excel and see some more details, but not sure they will give you the answer you are after.
This alert my vary on how detailed it is depending on which protocol was used to do the remote execution, and how the environment is configured. some protocols are encrypted, so we can only tell the execution took place, but not much more.
I have the same issue, it triggers for WMI but when I click the "+" to expand the "Remote Code Execution Attempted" field it's just blank.