Hi @Tali Ash 

 

That's exactly right. I don't see the DNS activity in the source computer timeline. When I search for the source computer from where I did the DNS reconnaissance tests (pointing nslookup to the DC on which the ATP sensor is installed), I see other activities like logins or even SMB activities but not the DNS activities. Same thing if I run other reconnaissance commands like "net user /domain" or "net group "domain admins" /domain".

 

I'll send you a private message with our tenant info. Thank you very much for your help with this.

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE