Investigation priority score increase (Preview) alert

%3CLINGO-SUB%20id%3D%22lingo-sub-2388336%22%20slang%3D%22en-US%22%3EInvestigation%20priority%20score%20increase%20(Preview)%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2388336%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%20we%20started%20receiving%20the%20above%20alert%20in%20CAS.%20Appreciate%20its%20preview%20but%20the%20contents%20of%20the%20alert%20made%20me%20sit%20up%20!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDescription%3A%20%22%3CSPAN%3E%3CSTRONG%3EACCOUNTNAME%3C%2FSTRONG%3E%3C%2FSPAN%3E%22%26nbsp%3B%3CSPAN%3Einvestigation%20priority%20score%20has%20increased%20from%200%20to%20208%20in%2013%20hours%2C%20higher%20than%2099%25%20of%20other%20scored%20users.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40FD0985466A933386E4ED812A2647B524%2Fimages%2Femoticons%2Fsurprised_40x40.gif%22%20alt%3D%22%3Asuprised%3A%22%20title%3D%22%3Asuprised%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EEach%20event%20that%20formed%20part%20of%20this%20alert%20gave%20a%20%2B8%20score%20on%20the%20following%20action%20%3A%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EResource%20access%3A%26nbsp%3BDevice%26nbsp%3B%3CSTRONG%3EDEVICENAME%3C%2FSTRONG%3E%2C%20property%26nbsp%3B%3CSTRONG%3ESpns%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3Ecifs%2FDEVICENAME.Domain.com%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3ESourcePort%3A%20Various%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EDestinationPort%3A%2088%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20account%20in%20question%20being%20the%20ATP%20service%20account%2C%20and%20the%20activity%20on%2061%20different%20devices%2C%20the%20source%20being%20a%20DC..%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%409839A717402516D64549B98324F4F0C1%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%3C%2FP%3E%3CP%3EHas%20anyone%20else%20seen%20this%3F%20It%20looks%20dodgy%20as%20hell%20this%20suddenly%20being%20logged%20and%20not%20knowing%20what%20the%20activity%20means.%20Is%20this%20this%20expected%20activity%20for%20ATP%20service%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20for%20your%20response!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2388336%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398848%22%20slang%3D%22en-US%22%3ERe%3A%20Investigation%20priority%20score%20increase%20(Preview)%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398848%22%20slang%3D%22en-US%22%3Eany%20updates%3F%20I%20would%20be%20curious%20what%20you%20concluded%20here.%20Probably%20warrants%20a%20support%20case%20if%20you%20are%20still%20stuck.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2670610%22%20slang%3D%22en-US%22%3ERe%3A%20Investigation%20priority%20score%20increase%20(Preview)%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2670610%22%20slang%3D%22en-US%22%3Eare%20there%20any%20updates%2C%20we%20have%20this%20with%20a%20customer%20of%20ours%3F%3CBR%20%2F%3EWe%20cannot%20understand%20what%20is%20happening%20in%20the%20background.%3CBR%20%2F%3EDoes%20anyone%20have%20an%20explanation%20for%20this%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi 

 

Today we started receiving the above alert in CAS. Appreciate its preview but the contents of the alert made me sit up !  

 

Description: "ACCOUNTNAMEinvestigation priority score has increased from 0 to 208 in 13 hours, higher than 99% of other scored users. :suprised:

 

Each event that formed part of this alert gave a +8 score on the following action :

Resource access: Device DEVICENAME, property Spns cifs/DEVICENAME.Domain.com

SourcePort: Various

DestinationPort: 88

 

The account in question being the ATP service account, and the activity on 61 different devices, the source being a DC.. :sad:

Has anyone else seen this? It looks dodgy as hell this suddenly being logged and not knowing what the activity means. Is this this expected activity for ATP service? 

 

Thanks in advance for your response!

2 Replies
any updates? I would be curious what you concluded here. Probably warrants a support case if you are still stuck.
are there any updates, we have this with a customer of ours?
We cannot understand what is happening in the background.
Does anyone have an explanation for this?
www.000webhost.com