Forum Discussion

denkajohansson's avatar
denkajohansson
Brass Contributor
Apr 20, 2023

Missing alerts from MDI, suspicious additions to sensitive groups

Hi there!   Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups.    W...
  • pc-88's avatar
    Apr 21, 2023
    We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
    [timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
    Not yet sure if this is significant or not.

Resources