Sep 16 2021
I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.
So whenever it's a admin account it triggers the Reconnaissance using Directory Services queries alert on ATA(Microsoft Advanced Threat Analytics).
For the investigation I tried to use ATA guide but not sure how to investigate the below?
What can be the legitimate cases for SAM-R queries ?
Note : This is not related to Lenovo issue with SAMR or WaAppAgent.exe