Forum Discussion
Missing alerts from MDI, suspicious additions to sensitive groups
- Apr 21, 2023We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
[timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
Not yet sure if this is significant or not.
Don't forget to mark helpful and like my comment if you find helpful
If you are experiencing missing alerts from Microsoft Defender and suspicious additions to sensitive groups, it could be an indication of a potential security threat or a misconfiguration of your system. Here are some steps you can take:
1. Check the configuration of Microsoft Defender: Make sure that Microsoft Defender is properly configured and that all the necessary features are enabled. Check if the alert settings are properly configured and if there are any exclusions that might be affecting the detection of suspicious activities.
2. Run a full system scan: Perform a full system scan using Microsoft Defender to identify any potential malware or other security threats on your system.
3. Check group membership: Verify the membership of sensitive groups to ensure that only authorized users have access. Review the audit logs to determine if there have been any unauthorized changes to group membership.
4. Investigate suspicious activities: If you identify any suspicious activities or changes, investigate them further to determine the cause and take appropriate action. This could include disabling compromised accounts, revoking privileges, and changing passwords.
5. Consider getting help: If you are unable to resolve the issue on your own, consider getting help from a qualified security professional or Microsoft support. They can help you investigate and address the issue to ensure the security of your system.
Remember that prevention is always better than cure. Regularly updating your software and implementing strong security practices can help prevent security incidents before they occur.
- SABBIR_RUBAYATApr 23, 2023Iron ContributorThank you bhai