Forum Discussion
Sensitive groups
Has anyone managed to get anything meaningful from Sensitive Groups ? I thought the intent was to "monitor" those groups for membership changes. I have pushed and pulled users in and out of groups (say, Domain Admins) and I never get notified of anything !
- EliOfekMicrosoft
This detector needs a learning period before it is active.
How long is the system deployed with this version?
- StuartH .Brass Contributor
At least 8 weeks. What actually is the detector learning ? "Normal" modifications by expected admins or other sensitive users ?
- EliOfekMicrosoft
Generally yes,
wait for 2-3 more weeks, then to invoke the alert, try to modify a sensitive group using an account that does not normally do it...
- Gerson LevitzIron Contributor
Hi Stuart,
There is a report that will show you all of the sensitive group modifications. Can you run this report and see if it has the modifications you did recently?
Thanks
Gershon
- StuartH .Brass Contributor
The group in question (as a test) was not one that normally gets modified at all....in fact it has probably not been modified for 12 months, by anyone previously.
Yes, was aware of the report.....and there is NOTHING at all in the report, which actually would be more useful to me than a console alert. Why would it not show in the report ? Yes, auditing for group membership is nabbed, and yes, it shows on the event log.
- EliOfekMicrosoft
Which domain group was it?
Keep in mind that in 1.8.* we are using a closed list of groups defined as sensitive.
in future version you will be able to tag yourself which groups are sensitive for you.