Forum Discussion
MDI not firing alert - "Suspicious additions to sensitive groups (external ID 2024)"
Hi everyone, i have checked our MDI installation with the Powershell - it is all green. Also the action itself is in the portal. The group is marked sensitive by default. A user gets adde...
EliOfek
Microsoft
MicrosoftStephanGee This is a detector that relies on profiling.
So it's not enough for the action to take place alone to trigger an alert.
The detector needs to consider this action to be "abnormal" based on past profiling.
so if by any chance this admin user that was used was doing similar actions before
it will likely won't trigger as we already learned that such an action for it is "normal".
- Hi,
well - this is not really a normal task. It may have happend twice in 1 year. As we rely on those alerts and have no other tool in place - this is bad. I now created a hunt for these happenings.
But it is not in "real time" - it runs every hour. One hour for an attacker can be enough.
