![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 97%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
7,023 questions
SAM-R offers a way to enumurate some info remotely on Windows systems (mostly used for users and groups).
Azure ATP (well MDI, Microsoft Defender for Identity as it is called now) is keeping track of those enumerations. After a learning period of 15 days, if a machine starts making those enumeration differently (more often, or with different scopes) then MDI triggers an alert as it could be the sign of an attacker performing reconnaisance actions.
In your case, to investigate the alert, you will need to understand what triggers that request on that machine. It could be a new application, a new script, a new scheduled tasks. You can also look at the machine entity page and see if there are other alerts or unusual things (like new users connecting to that server, or a lot of failed authentications). More info here: https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021
