Forum Discussion

StuartH .'s avatar
StuartH .
Brass Contributor
Jan 26, 2018

Sensitive groups

Has anyone managed to get anything meaningful from Sensitive Groups ?  I thought the intent was to "monitor" those groups for membership changes.  I have pushed and pulled users in and out of groups (say, Domain Admins) and I never get notified of anything !

  • This detector needs a  learning period before it is active.

    How long is the system deployed with this version?

     

    • StuartH .'s avatar
      StuartH .
      Brass Contributor

      At least 8 weeks. What actually is the detector learning ?  "Normal" modifications by expected admins or other sensitive users ?

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft

        Generally yes,

        wait for 2-3 more weeks, then to invoke the alert, try to modify a sensitive group using an account that does not normally do it...

  • Hi Stuart, 

     

    There is a report that will show you all of the sensitive group modifications. Can you run this report and see if it has the modifications you did recently? 

     

    Thanks

    Gershon

    • StuartH .'s avatar
      StuartH .
      Brass Contributor

      The group in question (as a test) was not one that normally gets modified at all....in fact it has probably not been modified for 12 months, by anyone previously.

       

      Yes, was aware of the report.....and there is NOTHING at all in the report, which actually would be more useful to me than a console alert.  Why would it not show in the report ?  Yes, auditing for group membership is nabbed, and yes, it shows on the event log.

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft

        Which domain group was it?

        Keep in mind that in 1.8.* we are using a closed list of groups defined as sensitive.

        in future version you will be able to tag yourself which groups are sensitive for you.

Resources