Reconnaissance using Directory Services queries Alert


Hi Team,


I have recieved Reconnaissance using Directory Services queries alert in ATA stating below details.




I dont See the account or the process details from where the querry was triggered, there are no event logs from the machine this alert has triggered.


can you help me to analyze futhur.


MDI will never give you process information as it's not monitoring the endpoint, just the DC. The Actor identity is not always visible in the protocol (When it is, MDI will give you the info). Sometimes it might even be the machine account...
Your best option is if you have MDE on this endpoint, as it does monitor it and might give you more info about which process might have triggered this around this time.