I received an alert that a user attempted to remotely access 5 new assets. At the time of the alert he was working with a coworker on a Teams call. The logs all come from the DNS Query event source. Has anyone else seen this and know what causes this? On a side note, IConn did a great job disabling the account reading the action as LateralMovementDomainCredentials.
Remotely accessing 5 assets would be derived from the Asset Authentication events, not the DNS Query logset.
I’d recommend selecting the Asset Authentication logset, searching for the user involved and grouping by the destination_asset to establish what may have happened.
Its been observed before when an agent was first installed on servers that the new activity IDR sees can trigger this kind of alert. Since the logic is that the user in question has never been observed accessing these assets successfully before.
I see this kind of alert when user adds a network printer as well.