This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 38%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFN%3C/text%3E%3C/svg%3E)
We have been receiving floods of alert on "Reconnaissance using Directory Services queries" with newly created account.
machine across the domain is trying to queried the newly created account.
when checking few of the source machine, we found below warning in event log, kindly help to find the fix.
Remote calls to the SAM database n it have been denied in the past 900 seconds throttling window.
@Fahad Noaman
Thank you for your post!
Looking at your issue, you should be able to investigate this issue further by following the Reconnaissance using Directory Services queries documentation. Additionally, you can troubleshoot the issues using the ATA audit logs which can be found under the "Windows Event Logs" -> Applications and Services, Microsoft ATA.
If you'd like to reach out to our Azure Advanced Thread Protection Team.
Please let me know if you have any other questions.
Thank you for your time and patience.
Additional Links:
Advanced Threat Analytics suspicious activity guidesuspicious-activity-guide
User and Group membership reconnaissance (SAMR) (external ID 2021)
@Fahad Noaman
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?
This alert trigger when ever we create a new account.