Security principal reconnaissance (LDAP) was detected
Article ID: 368921
Updated On:
Products
DX Unified Infrastructure Management (Nimsoft / UIM)
CA Unified Infrastructure Management On-Premise (Nimsoft / UIM)
CA Unified Infrastructure Management SaaS (Nimsoft / UIM)
Issue/Introduction
We've received the following alert from Identify for Defender, it has recently been deployed. Is this expected behavior?
Security principal reconnaissance (LDAP) was detected in *<XYZDOMAIN>*
Actors on *PRIMARY_HUB* sent suspicious LDAP queries to *<AZURE_XX>*, searching for *LOCAL_ADMIN_<XX>_GROUP* (Local Administrators), *SERVER_<XXXXXXX>_<XXX>_GROUP and Network Support (Network Support) in *<XYZDOMAIN>*
Environment
- DX UIM 20.4
Resolution
- The customer should have already enabled SSL mode provided in the hub LDAP configuration. Please enable SSL, if it is not enabled yet.
- There shouldn't be any security threat as long as both the AD server and UIM Server belong to the same customer or 'known' entities. It is also mentioned in the Microsoft documentation that this trigger would not occur after 10 days following the first-time deployment of Azure ATP 2.67, after Azure ATP accurately 'profiles' and 'learns' the legitimate users.
Additional Information
This threat was raised by Defender running on the AD server which is running on a VM running Azure ATP 2.67 or later.
Starting from Version 2.67, Azure ATP now detects when suspicious LDAP enumeration queries are made or when queries targeted to sensitive groups that use methods not previously seen are observed. In order to allow Azure ATP to accurately profile and learn legitimate users, alerts of this type are only triggered the first time 10 days following Azure ATP 2.67 version deployment.
Feedback
Yes
No
Powered by
