Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Security principal reconnaissance (LDAP) alert

Iron Contributor

I received this alert 2 hours after the alert was first seen . Why did it take two hours to send an alert ?

 

Skipster3111_0-1626822618412.png

 

4 Replies
Some detectors will hold back the info trying to collect more information before deciding if it's a false positive and should be ignored or not. Also, at time there could be ingestion delays.
It's hard to tell for sure without checking each individual case as well.
Do you see any delays in any logical activities reported in the profile for an active entity?
Can you share the workspace id ?
Sorry, very knew to defender for identity. Where can i find the workspace id ?
Press the ? button on the top right toolbar on the native MDI portal. it will pop up a window with some tech details.
9ea5fd22-168e-4ab1-99d2-9b87763f47d3