Security principal reconnaissance (LDAP) (external ID 2038)

%3CLINGO-SUB%20id%3D%22lingo-sub-1354000%22%20slang%3D%22en-US%22%3ESecurity%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354000%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20downloading%20the%20details%20for%20this%20type%20of%20alert%2C%20shouldn't%20there%20be%20a%20list%20ofsuspected%20users%20attached%20within%20the%20download%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358079%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358079%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20has%20been%20install%20for%20over%206%20months.%20We%20have%20had%20one%20of%20these%20alerts%20in%20the%20past%20week%20which%20prompted%20the%20question%20from%20by%20CSOC%20team.%20They%20were%20expecting%20to%20see%20users%20in%20the%20alert.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358585%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123662%22%20target%3D%22_blank%22%3E%40Ed%20Healea%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20able%20to%20share%20a%20screen%20shot%20of%20what%20is%20contained%20in%20the%20alert%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361697%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361697%22%20slang%3D%22en-US%22%3EWhich%20part%20of%20the%20alert%20do%20you%20want%3F%20The%20download%20details%20or%20actual%20alert%20in%20the%20console%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364484%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364484%22%20slang%3D%22en-US%22%3EWe%20are%20tracking%20a%20potential%20issue%20that%20should%20be%20addressed%20in%20the%20latest%20update%20to%20the%20service%20which%20is%20currently%20being%20deployed%2C%20please%20check%20again%20once%20you%20have%20version%202.113%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364513%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364513%22%20slang%3D%22en-US%22%3EWe%20are%20currently%20on%20Version%202.113.7964.14687.%20Will%20the%20update%20only%20affect%20new%20alerts%20or%20any%20alert%20still%20open%3F%20I%20rechecked%20today%20on%20the%20alert%20in%20question%20and%20we%20are%20not%20seeing%20any%20change%20to%20the%20download%20details.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364549%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364549%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123662%22%20target%3D%22_blank%22%3E%40Ed%20Healea%3C%2FA%3E%26nbsp%3BUnfortunately%2C%20the%20hotfix%20does%20not%20apply%20to%20previous%20alerts%2C%20can%20you%20verify%20that%20you%20can%20download%20the%20details%20for%20a%20new%20alert%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354662%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354662%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123662%22%20target%3D%22_blank%22%3E%40Ed%20Healea%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20long%20have%20you%20had%20Azure%20ATP%20in%20place%3F%20%26nbsp%3BAre%20you%20already%20getting%20these%20type%20of%20alerts%2C%20or%20is%20it%20still%20in%20its%20learning%20period%20as%20per%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-reconnaissance-alerts%23security-principal-reconnaissance-ldap-external-id-2038%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-reconnaissance-alerts%23security-principal-reconnaissance-ldap-external-id-2038%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

If downloading the details for this type of alert, shouldn't there be a list ofsuspected users attached within the download?

9 Replies
Highlighted

@Ed Healea 

 

How long have you had Azure ATP in place?  Are you already getting these type of alerts, or is it still in its learning period as per - https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-reconnaissance-alerts#security...

 

Highlighted

It has been install for over 6 months. We have had one of these alerts in the past week which prompted the question from by CSOC team. They were expecting to see users in the alert. @PeterRising 

Highlighted

@Ed Healea 

 

Are you able to share a screen shot of what is contained in the alert?

Highlighted
Which part of the alert do you want? The download details or actual alert in the console?
Highlighted
We are tracking a potential issue that should be addressed in the latest update to the service which is currently being deployed, please check again once you have version 2.113
Highlighted
We are currently on Version 2.113.7964.14687. Will the update only affect new alerts or any alert still open? I rechecked today on the alert in question and we are not seeing any change to the download details.
Highlighted

@Ed Healea Unfortunately, the hotfix does not apply to previous alerts, can you verify that you can download the details for a new alert?

Highlighted

@Or Tsemah 
We had a new alert come through and the download details did not contain any list of actors.
The tabs in the download are Summary, Source Computer, Domain Controllers, Event Activities and Related Entities.

Highlighted

@Ed Healea 

Hey Ed, can you please open a support ticket and forward it to me (ort@microsoft.com) so we can investigate it?