locked
Abnormal behavior - How can I see the detail for the abnormal resource requests RRS feed

  • Question

  • When I get SAs for "Suspicion of identity theft based on abnormal behavior" I can see the list of target computers and Kerberos services but no timestamp, source computer, or domain controller information.

    Where can this data be found in ATA?

    The activity log has some of these requests, but not all of them (e.g. requests made for resources in trusting domains)

    Wednesday, December 26, 2018 12:54 PM

All replies

  • Use the Download details option, which will export the data into excel.

    you will get sheets there with more detailed network activities.

    Wednesday, December 26, 2018 1:16 PM