Sensitive entities

Question

Hi all&nbsp;I have been trying to trigger an event to determine whether the sensor is creating the alert I expect to see. To do this I added about 5 random accounts to my Domain Admins group (yes, this is test environment). I'm not seeing any alerts. I would expect this event to trigger the "Suspicious additions to sensitive groups" alert, but I get nothing.&nbsp;I've configured auditing per the guidance from Microsoft and I can see the Audit Event ID 4728 being generated in the Security log.&nbsp;Any thoughts on this? I am seeing other alerts, so I know the sensors are working generally.&nbsp;ThanksTony

chris_carbine · Answer

murrato1&nbsp;I am receiving the same issue. I have added accounts to the domain admins group which should trigger an alert but nothing happens.&nbsp;&nbsp;

or tsemah · Answer

murrato1&nbsp;Adding&nbsp;Daniel Naim&nbsp;

fankydotorg · Answer

Hi&nbsp;murrato1&nbsp;&nbsp;We have the same issue.&nbsp; Are you aware of the fact that this Alert has a learning period of four weeks since the first event was logged?&nbsp;Microsoft Defender for Identity domain dominance security alerts | Microsoft Docs&nbsp;If you found any solutions meanwhile it would be great if you can share it.&nbsp;&nbsp;best regards

Forum Discussion

Sensitive entities

Share

Resources