Forum Discussion

denkajohansson's avatar
denkajohansson
Copper Contributor
Apr 20, 2023
Solved

Missing alerts from MDI, suspicious additions to sensitive groups

Hi there!   Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups.    W...
alerts
Investigations
microsoft 365 defender
  • pc-88's avatar
    pc-88
    Apr 21, 2023
    We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
    [timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
    Not yet sure if this is significant or not.
SABBIR_RUBAYAT's avatar
SABBIR_RUBAYAT
Iron Contributor
Apr 20, 2023

Don't forget to mark helpful and like my comment if you find helpful

If you are experiencing missing alerts from Microsoft Defender and suspicious additions to sensitive groups, it could be an indication of a potential security threat or a misconfiguration of your system. Here are some steps you can take:

1. Check the configuration of Microsoft Defender: Make sure that Microsoft Defender is properly configured and that all the necessary features are enabled. Check if the alert settings are properly configured and if there are any exclusions that might be affecting the detection of suspicious activities.
2. Run a full system scan: Perform a full system scan using Microsoft Defender to identify any potential malware or other security threats on your system.
3. Check group membership: Verify the membership of sensitive groups to ensure that only authorized users have access. Review the audit logs to determine if there have been any unauthorized changes to group membership.
4. Investigate suspicious activities: If you identify any suspicious activities or changes, investigate them further to determine the cause and take appropriate action. This could include disabling compromised accounts, revoking privileges, and changing passwords.
5. Consider getting help: If you are unable to resolve the issue on your own, consider getting help from a qualified security professional or Microsoft support. They can help you investigate and address the issue to ensure the security of your system.
Remember that prevention is always better than cure. Regularly updating your software and implementing strong security practices can help prevent security incidents before they occur.

  • denkajohansson's avatar
    denkajohansson
    Copper Contributor
    Apr 24, 2023
    Hi and thanks for your response.

    Defender is configured properly and all features are enabled. There are no exclusions that would not make in an alert.
    Im nog going to bother about question number two, that would been identified much earlier.

    The group membership has been checked and the members where changed, without an alert. And this has also been resolved.

    The thing is that somehow MDI classes some additions as Alerts and some it just skips even that the group is marked as a sensitive group.
    • SABBIR_RUBAYAT's avatar
      SABBIR_RUBAYAT
      Iron Contributor
      Apr 24, 2023
      In some cases I also agree. MICROSOFT DEFENDER have to go a long way brother. dont think you will get much help in this case now
  • faruk2bd1971's avatar
    faruk2bd1971
    Copper Contributor
    Apr 23, 2023
    Best response
    • SABBIR_RUBAYAT's avatar
      SABBIR_RUBAYAT
      Iron Contributor
      Apr 23, 2023
      Thank you bhai

Resources