Forum Discussion
Solved
Missing alerts from MDI, suspicious additions to sensitive groups
Hi there! Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups. W...
- We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
[timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
Not yet sure if this is significant or not.
Hi and thanks for your response.
Defender is configured properly and all features are enabled. There are no exclusions that would not make in an alert.
Im nog going to bother about question number two, that would been identified much earlier.
The group membership has been checked and the members where changed, without an alert. And this has also been resolved.
The thing is that somehow MDI classes some additions as Alerts and some it just skips even that the group is marked as a sensitive group.
Defender is configured properly and all features are enabled. There are no exclusions that would not make in an alert.
Im nog going to bother about question number two, that would been identified much earlier.
The group membership has been checked and the members where changed, without an alert. And this has also been resolved.
The thing is that somehow MDI classes some additions as Alerts and some it just skips even that the group is marked as a sensitive group.
In some cases I also agree. MICROSOFT DEFENDER have to go a long way brother. dont think you will get much help in this case now