Forum Discussion

ActualCassandra's avatar
ActualCassandra
Copper Contributor
Oct 23, 2023

MDE repeatable false positive "Multi-stage incident involving Privilege escalation..." How to fix?

Anyone else seeing this? It always has 57 alerts, too, and the Detection source is always 'Custom TI' and always at the same time in the morning. Doesn't matter if the machine is managed, AD joined, ...
jbmartin6's avatar
jbmartin6
Iron Contributor
Oct 24, 2023
"Custom TI" makes me think this is some custom indicator added by previous admins. Take a look in settings/endpoints/indicators and see if anything there sheds any light
jbmartin6's avatar
jbmartin6
Iron Contributor
Oct 24, 2023
Phooey, I just realized I didn't read your last paragraph. Never mind.
  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    Oct 24, 2023
    Custom detection rule maybe?
    • ActualCassandra's avatar
      ActualCassandra
      Copper Contributor
      Oct 24, 2023
      Custom detection rules create alerts which show a Detection Source of 'Custom detection'. Just had a quick look and none are being triggered.

      'Custom TI' looks like it really should be from an indicator, but the only ones I see via the API (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/get-ti-indicators-collection?view=o365-worldwide) are things like the Defender for Cloud Apps policies and MDE web filtering.
      • jbmartin6's avatar
        jbmartin6
        Iron Contributor
        Oct 24, 2023
        I feel like that GUID in the alert names are a clue, but what it means I don't know. Definitely a weird one

Resources