Forum Discussion
MDE repeatable false positive "Multi-stage incident involving Privilege escalation..." How to fix?
Anyone else seeing this? It always has 57 alerts, too, and the Detection source is always 'Custom TI' and always at the same time in the morning. Doesn't matter if the machine is managed, AD joined, ...
Phooey, I just realized I didn't read your last paragraph. Never mind.
Custom detection rule maybe?
- Custom detection rules create alerts which show a Detection Source of 'Custom detection'. Just had a quick look and none are being triggered.
'Custom TI' looks like it really should be from an indicator, but the only ones I see via the API (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/get-ti-indicators-collection?view=o365-worldwide) are things like the Defender for Cloud Apps policies and MDE web filtering.- I feel like that GUID in the alert names are a clue, but what it means I don't know. Definitely a weird one
I know! The guids do vary, too, the one from a week ago (same incident comprised of exactly 57 alerts, mind you). Wonder if the indicators are poisoned somehow even though I'm not seeing after listing in the API.
