Resource access activity

%3CLINGO-SUB%20id%3D%22lingo-sub-1561835%22%20slang%3D%22en-US%22%3EResource%20access%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1561835%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWhere%20can%20we%20find%20more%20info%20on%20the%20following%20activities%20logged%20by%20Azure%20ATP%3F%20What%20is%20the%20difference%20between%20those%20two%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EResource%20access%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Edevice%26nbsp%3B%3CSTRONG%3Exxxx%3C%2FSTRONG%3E%2C%20property%20xxxx%2Fxxxx%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EResource%20access%3A%26nbsp%3Bproperty%26nbsp%3B%3CSTRONG%3ESpns%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3Exxx%2Fxxxx%3C%2FSTRONG%3E%2C%20user%26nbsp%3B%3CSTRONG%3Exxxx%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20could%20cause%20a%20lot%20of%20these%20activities%20by%20one%20user%3F%20Can%20this%20indicate%20kerberoasting%3F%20%3CA%20href%3D%22https%3A%2F%2Fwww.eshlomo.us%2Fkerberoasting-extracting-service-account-password%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.eshlomo.us%2Fkerberoasting-extracting-service-account-password%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

Where can we find more info on the following activities logged by Azure ATP? What is the difference between those two:

 

Resource accessdevice xxxx, property xxxx/xxxx

Resource access: property Spns xxx/xxxx, user xxxx

 

What could cause a lot of these activities by one user? Can this indicate kerberoasting? https://www.eshlomo.us/kerberoasting-extracting-service-account-password/

0 Replies