cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Entra Tech Accelerator
Jun 27 2023, 08:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more

Vague ATA alert

DBR14
Frequent Contributor

‎Jul 09 2021 07:38 AM

‎Jul 09 2021 07:38 AM

Vague ATA alert

Does anyone have any insight on how I should approach this alert? 

Random VM attempted remote execution toward a DC but absolutely 0 info on what occurred to trigger this alert, but something must have happened to get it to trigger so I am a bit lost at what to look at.

DBR14_0-1625841414571.png

 

286 Views
0 Likes
1 Reply
Reply
1 Reply
Eli Ofek

‎Jul 09 2021 01:16 PM

‎Jul 09 2021 01:16 PM

Re: Vague ATA alert

MDI will never give you process information as it's not monitoring the endpoint, just the DC. The Actor identity is not always visible in the protocol (When it is, MDI will give you the info). Sometimes it might even be the machine account...
In addition, for remote execution, some of the protocols use encryption, so we only see that something happened, and not what exactly, which will cause us to alert in "best effort mode".
Your best option is if you have MDE on this endpoint, as it does monitor it and might give you more info about which process might have triggered this around this time.
0 Likes
Reply