locked
Troubleshooting Suspicion of identity theft based on abnormal behavior alets RRS feed

  • Question

  • I have some Suspicion of identity theft based on abnormal behavior alerts and one alert in particular for a user was flagged as requesting access to 32 abnormal resources. When reviewing the alert, I see some resources, both Windows servers and Windows workstations, tagged as CIFS, some server access flagged as LDAP, etc.

    To determine if the user truly accessed the resources listed, what other logs should I be reviewing? Domain controller logs? Netflow/network traffic logs?

    If after investigating, I conclude the alert was a false positive and I close and exclude the user, what exactly am I excluding? Any activity from the user, or just the specific activity occurred for that user for those defined resources?

    Thx

    Thursday, February 1, 2018 9:32 PM

All replies

  • Hello,

    I would recommend to follow the procedures introduced in the ATA suspicious activity guide below.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

    If you exclude the user from a specific suspicious activity detection, just the specific activity for the user will not be detected, NOT all the activities for the user.

    You can read the following article for excluding entities from detections.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/excluding-entities-from-detections

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 2, 2018 9:25 AM
  • Andy,

    Thx for the reply. One last question - does the Suspicion of identity theft based on normal behavior alert depend upon on Event IDs, or is this alert based purely on traffic it sees from port mirroring?

    Thx

    Thursday, February 15, 2018 3:24 PM
  • Andy,

    We have been running ATA for almost two years and upgraded to ATA 1.9 last month. We started to receive an influx of these alerts around the 3 week mark and they appear, in most cases, a false-positive based off the CIFS access to the local network resources. We have “Delivery Optimization” enabled for Windows 10 and the result is similar to what is explained in this article: https://securityminutes.com/2017/07/20/windows-10-vs-microsoft-ata/

    The Microsoft documentation referenced in the previous post is a little vague on the solution. My core question: What is the best way to address these baseline alerts without excluding the user from the alert? If we suppress for the 7 days, will it assume the previously alerted activity is "normal" and only alert outside of that new norm? What strategy would you recommend?

    Any assistance is greatly appreciated!

    -Chris 

    Thursday, May 3, 2018 4:16 PM