MDI not firing alert - "Suspicious additions to sensitive groups (external ID 2024)"

Steel Contributor

Hi everyone,

 

i have checked our MDI installation with the Powershell - it is all green. Also the action itself is in the portal. 

StephanGee_0-1722231820875.png

The group is marked sensitive by default. A user gets added by another Domain Admin.

This should fire an high alert? But nothin happens. 

Is there any setting i am missing? We started with a "german AD" so the group names are in German. But this cannot make any difference.

 

BR

Stephan

 

2 Replies

@StephanGee This is a detector that relies on profiling.
So it's not enough for the action to take place alone to trigger an alert.
The detector needs to consider this action to be "abnormal" based on past profiling.
so if by any chance this admin user that was used was doing similar actions before
it will likely won't trigger as we already learned that such an action for it is "normal".

Hi,
well - this is not really a normal task. It may have happend twice in 1 year. As we rely on those alerts and have no other tool in place - this is bad. I now created a hunt for these happenings.
But it is not in "real time" - it runs every hour. One hour for an attacker can be enough.