Sep 05 2024 09:01 PM - edited Sep 08 2024 06:05 PM
Hi everyone,
The alerts we get the most from our customers are related to MDI.
Often, the alerts provide useful information, such as which computer initiated the attempts and which computers were targeted, along with details on the users involved and whether the logins were successful. However, they rarely explain the root cause of why these alerts are triggered or who the actor is. (e.g., "An actor on a computer performed...")
Scenario: Many of our Brute Force/Enumeration alerts come from internal endpoints attempting to access or enumerate other internal endpoints. When I check the most recent users and endpoints involved, I don’t find any malicious activity (the investigation and risk scores are low). This often leads me to believe that an application or misconfiguration may be causing these alerts. Does MDE provide visibility to help identify which application or misconfiguration is triggering these alerts?
I have only ever been able to successfully zero in on a application that caused the brute force attack using KQL. Unfortunately, most times I'm left scratching my head. When we discuss this with customers they aren't always sure, but they guess it could be their VPN or some other app.
Any thoughts or suggestion would be appreciated.