Forum Discussion
Solved
Missing alerts from MDI, suspicious additions to sensitive groups
Hi there! Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups. W...
- We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
[timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
Not yet sure if this is significant or not.
Without saying to much its probably not the learning period since we had this setup for over two years now.
Regarding the abnormal part its possible that its not abnormal with the account that was used but abnormal with what kind of users that was added.
We do have a support case open regarding this.
Regarding the abnormal part its possible that its not abnormal with the account that was used but abnormal with what kind of users that was added.
We do have a support case open regarding this.
The conclusion of our case was that the due to the learning period, MDI didn't believe that these sensitive group additions were unusual. This was confirmed by switching on the option "Remove learning period" and confirming that the alert now started triggering more readily. This makes the alert basically useless for us, so I was advised to submit feedback using the feedback button in the Defender admin console.
The support agent did mention that we can set up a rule in Defender for Cloud Apps that will emulate this detection, which I have started testing and seems to work well. We've also set up an email alert in Scheduled Tasks that triggers on event ID 4728, because this fires off much more quickly than any of the Defender alerts.
The support agent did mention that we can set up a rule in Defender for Cloud Apps that will emulate this detection, which I have started testing and seems to work well. We've also set up an email alert in Scheduled Tasks that triggers on event ID 4728, because this fires off much more quickly than any of the Defender alerts.