Security principal reconnaissance (LDAP) (external ID 2038)

%3CLINGO-SUB%20id%3D%22lingo-sub-1354000%22%20slang%3D%22en-US%22%3ESecurity%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354000%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20downloading%20the%20details%20for%20this%20type%20of%20alert%2C%20shouldn't%20there%20be%20a%20list%20ofsuspected%20users%20attached%20within%20the%20download%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358079%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358079%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20has%20been%20install%20for%20over%206%20months.%20We%20have%20had%20one%20of%20these%20alerts%20in%20the%20past%20week%20which%20prompted%20the%20question%20from%20by%20CSOC%20team.%20They%20were%20expecting%20to%20see%20users%20in%20the%20alert.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358585%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123662%22%20target%3D%22_blank%22%3E%40Ed%20Healea%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20able%20to%20share%20a%20screen%20shot%20of%20what%20is%20contained%20in%20the%20alert%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361697%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361697%22%20slang%3D%22en-US%22%3EWhich%20part%20of%20the%20alert%20do%20you%20want%3F%20The%20download%20details%20or%20actual%20alert%20in%20the%20console%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364484%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364484%22%20slang%3D%22en-US%22%3EWe%20are%20tracking%20a%20potential%20issue%20that%20should%20be%20addressed%20in%20the%20latest%20update%20to%20the%20service%20which%20is%20currently%20being%20deployed%2C%20please%20check%20again%20once%20you%20have%20version%202.113%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364513%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364513%22%20slang%3D%22en-US%22%3EWe%20are%20currently%20on%20Version%202.113.7964.14687.%20Will%20the%20update%20only%20affect%20new%20alerts%20or%20any%20alert%20still%20open%3F%20I%20rechecked%20today%20on%20the%20alert%20in%20question%20and%20we%20are%20not%20seeing%20any%20change%20to%20the%20download%20details.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364549%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364549%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123662%22%20target%3D%22_blank%22%3E%40Ed%20Healea%3C%2FA%3E%26nbsp%3BUnfortunately%2C%20the%20hotfix%20does%20not%20apply%20to%20previous%20alerts%2C%20can%20you%20verify%20that%20you%20can%20download%20the%20details%20for%20a%20new%20alert%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354662%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20principal%20reconnaissance%20(LDAP)%20(external%20ID%202038)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354662%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123662%22%20target%3D%22_blank%22%3E%40Ed%20Healea%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20long%20have%20you%20had%20Azure%20ATP%20in%20place%3F%20%26nbsp%3BAre%20you%20already%20getting%20these%20type%20of%20alerts%2C%20or%20is%20it%20still%20in%20its%20learning%20period%20as%20per%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-reconnaissance-alerts%23security-principal-reconnaissance-ldap-external-id-2038%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-reconnaissance-alerts%23security-principal-reconnaissance-ldap-external-id-2038%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

If downloading the details for this type of alert, shouldn't there be a list ofsuspected users attached within the download?

9 Replies

@Ed Healea 

 

How long have you had Azure ATP in place?  Are you already getting these type of alerts, or is it still in its learning period as per - https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-reconnaissance-alerts#security...

 

It has been install for over 6 months. We have had one of these alerts in the past week which prompted the question from by CSOC team. They were expecting to see users in the alert. @PeterRising 

@Ed Healea 

 

Are you able to share a screen shot of what is contained in the alert?

Which part of the alert do you want? The download details or actual alert in the console?
We are tracking a potential issue that should be addressed in the latest update to the service which is currently being deployed, please check again once you have version 2.113
We are currently on Version 2.113.7964.14687. Will the update only affect new alerts or any alert still open? I rechecked today on the alert in question and we are not seeing any change to the download details.

@Ed Healea Unfortunately, the hotfix does not apply to previous alerts, can you verify that you can download the details for a new alert?

@Or Tsemah 
We had a new alert come through and the download details did not contain any list of actors.
The tabs in the download are Summary, Source Computer, Domain Controllers, Event Activities and Related Entities.

@Ed Healea 

Hey Ed, can you please open a support ticket and forward it to me (ort@microsoft.com) so we can investigate it?