We got the following ATA alert on a Windows 10 Enterprise Direct Access Enabled laptop which was doing a FAST ring build over build upgrade to Windows 10 Enterprise 10122 this morning:
X.X.X.X (ATA Management Server IP)/suspiciousActivity/376844bd2334dcaab3034733
W10LAPTOP (X.X.X.X)'s Kerberos tickets were stolen from DASERVER (X.X.X.X) to W10LAPTOP (X.X.X.X) and used to access ldap/DC.domain.local/domain.local.
Laptop is: W10LAPTOP. Windows 2012 R2 Domain Controller is DC.domain.local. Windows 2012 R2 Direct Access Server is DASERVER.
We guess this may be a false positive and want to confirm if we need to add ATA exceptions in a Windows 2012 R2 Environment with a Direct Access Server? If so, please explain exactly the exceptions needed. If not, we can provide all requested log files as needed.