Forum Discussion

ActualCassandra's avatar
ActualCassandra
Copper Contributor
Oct 23, 2023

MDE repeatable false positive "Multi-stage incident involving Privilege escalation..." How to fix?

Anyone else seeing this? It always has 57 alerts, too, and the Detection source is always 'Custom TI' and always at the same time in the morning. Doesn't matter if the machine is managed, AD joined, etc.

 

More details - all show windows error manager process (the other week I saw similar, but triggered by windows activation check)

 

 

Any ideas? I didn't set this tenant up, so I wonder if there is some weird setting somewhere that is causing these false positives. I don't see any entries under Endpoint settings, Rules, Indicators which is what I thought would have been causing this?

 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    "Custom TI" makes me think this is some custom indicator added by previous admins. Take a look in settings/endpoints/indicators and see if anything there sheds any light
    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      Phooey, I just realized I didn't read your last paragraph. Never mind.
  • ActualCassandra Hi, seems only a single asset affected by those signals from MDE, by default MDE have those signals that monitor your endpoints activities and generate alerts accordingly.  Make sure that this endpoint don't contains any malicious files or user not performing any abnormal behavior before you decide to suppress that alert or considered as false positive. 

     

    to suppress a false positive alert, you can check click on the alert and choose to tune it 

     

     

     

     

     

     

    • ActualCassandra's avatar
      ActualCassandra
      Copper Contributor

      Thanks 🙂 However, this happens with any Windows 10 device that we install MDE on to, and I'd like to figure out why it is happening and fix the root cause.

       

      What does the detection source of 'Custom TI' relate to? I double checked the MDE api (ran list indicators) and it has nothing that would result in this repeated multi-stage incident showing up every 24 hours.

      • eliekarkafy's avatar
        eliekarkafy
        MVP

        ActualCassandra all your devices onboarded to MDE are triggering the same type of alerts as below? or its specific to a single machine as from your screenshot I can see that only a single machine is being affected. 

Resources