Jul 28 2024 10:45 PM
Hi everyone,
i have checked our MDI installation with the Powershell - it is all green. Also the action itself is in the portal.
The group is marked sensitive by default. A user gets added by another Domain Admin.
This should fire an high alert? But nothin happens.
Is there any setting i am missing? We started with a "german AD" so the group names are in German. But this cannot make any difference.
BR
Stephan
Jul 29 2024 12:26 AM
@StephanGee This is a detector that relies on profiling.
So it's not enough for the action to take place alone to trigger an alert.
The detector needs to consider this action to be "abnormal" based on past profiling.
so if by any chance this admin user that was used was doing similar actions before
it will likely won't trigger as we already learned that such an action for it is "normal".
Jul 29 2024 05:15 AM