locked
Abnormal behavior - CIFS listed as service type in ATA but the host doesn't have that service listed in servicePrincipalName attribute RRS feed

  • Question

  • We periodically get "Suspicion of identity theft based on abnormal behavior" alerts where a user is requesting CIFS access for nearby PCs.

    The "CIFS" string is in the ATA resource access data but that isn't a Kerberos service name on the PCs.   

    Is ATA logging "CIFS" because this is what the user requested in the TG_REQ?

    Friday, February 1, 2019 5:36 PM

All replies

  • Hello,

    Based on my understanding, there is nothing to do with Kerberos or TG_REQ. ATA just learns the entity behavior for users, computers, and resources, and sends an alert when there is a deviation from the entity’s behavior based on machine learning algorithms.

    You may take an investigate to this user, and if this is a false positive, you can close and exclude this alert.

    Best regards,
    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 5, 2019 1:39 AM
  • My question is not whether or not the alert is legitimate.  I am simply asking how ATA decided/learned that "CIFS" was the service being requested by the user.
    Wednesday, February 6, 2019 2:37 AM