Forum Discussion
denkajohansson
Apr 20, 2023Brass Contributor
Missing alerts from MDI, suspicious additions to sensitive groups
Hi there! Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups. W...
- Apr 21, 2023We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
[timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
Not yet sure if this is significant or not.
GeraldKSmith
May 08, 2023Microsoft
This is most likely due to the learning period of the Alert itself. - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts#suspicious-additions-to-sensitive-groups-external-id-2024
Key wording here is "Abnormal"
Advanced hunting has options for sensitive audits. Please feel free to use M365D's advanced hunting to see further options with groups - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to-sensitive-groups-with-advanced-hunting-in/ba-p/3275198
Key wording here is "Abnormal"
Advanced hunting has options for sensitive audits. Please feel free to use M365D's advanced hunting to see further options with groups - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to-sensitive-groups-with-advanced-hunting-in/ba-p/3275198
- denkajohanssonMay 10, 2023Brass ContributorWithout saying to much its probably not the learning period since we had this setup for over two years now.
Regarding the abnormal part its possible that its not abnormal with the account that was used but abnormal with what kind of users that was added.
We do have a support case open regarding this.- pc-88May 28, 2023Brass ContributorThe conclusion of our case was that the due to the learning period, MDI didn't believe that these sensitive group additions were unusual. This was confirmed by switching on the option "Remove learning period" and confirming that the alert now started triggering more readily. This makes the alert basically useless for us, so I was advised to submit feedback using the feedback button in the Defender admin console.
The support agent did mention that we can set up a rule in Defender for Cloud Apps that will emulate this detection, which I have started testing and seems to work well. We've also set up an email alert in Scheduled Tasks that triggers on event ID 4728, because this fires off much more quickly than any of the Defender alerts.