Forum Discussion
MDE repeatable false positive "Multi-stage incident involving Privilege escalation..." How to fix?
Anyone else seeing this? It always has 57 alerts, too, and the Detection source is always 'Custom TI' and always at the same time in the morning. Doesn't matter if the machine is managed, AD joined, ...
OK, this happens every seven days at the exact same time, when Windows 10 is carrying out its behind the scenes operating system scheduled tasks. Example (similar to the original screenshot):
ActualCassandra you dont have any custom indicators in your MDE settings ?
- make sure you have access to existing TI projects. While creating a new one , it shows "accessible to Me" option.
- There is a section called Threat Intelligence. if you dont find it, try going to
https://ti.defender.microsoft.com/projects?tab=team - No, that is what makes it so strange. I have even used the API to list indicators and there is nothing there to trigger something like the incident above.
