How to address suspicious activities detected by Microsoft Advanced Threat Analytics RRS feed

  • Question

  • Hi, Guys.

    If we get the following suspicious activities detected by ATA, what practical action plans, checks, investigation, etc. (i.e. based on experiences) that could be done on top of to determine if the detection is true positive, benign true positive or false positive?

    1) Honeytoken activity

    2) Suspicion of identity theft based on abnormal behaviour

    3) Unusual protocol implementation

    4) Suspicious authentication failures

    5) Identity theft using Pass-the-Hash attack

    6) Reconnaissance using Directory Services queries

    7) Reconnaissance using account enumeration

    8) Encryption downgrade activity

    Thank you.

    Monday, July 8, 2019 2:14 AM