Sensitive entities

%3CLINGO-SUB%20id%3D%22lingo-sub-2650869%22%20slang%3D%22en-US%22%3ESensitive%20entities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2650869%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20trying%20to%20trigger%20an%20event%20to%20determine%20whether%20the%20sensor%20is%20creating%20the%20alert%20I%20expect%20to%20see.%20To%20do%20this%20I%20added%20about%205%20random%20accounts%20to%20my%20Domain%20Admins%20group%20(yes%2C%20this%20is%20test%20environment).%20I'm%20not%20seeing%20any%20alerts.%20I%20would%20expect%20this%20event%20to%20trigger%20the%20%22Suspicious%20additions%20to%20sensitive%20groups%22%20alert%2C%20but%20I%20get%20nothing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20configured%20auditing%20per%20the%20guidance%20from%20Microsoft%20and%20I%20can%20see%20the%20Audit%20Event%20ID%204728%20being%20generated%20in%20the%20Security%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20on%20this%3F%20I%20am%20seeing%20other%20alerts%2C%20so%20I%20know%20the%20sensors%20are%20working%20generally.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ETony%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2669804%22%20slang%3D%22en-US%22%3ERe%3A%20Sensitive%20entities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2669804%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F339586%22%20target%3D%22_blank%22%3E%40murrato1%3C%2FA%3E%26nbsp%3BI%20am%20receiving%20the%20same%20issue.%20I%20have%20added%20accounts%20to%20the%20domain%20admins%20group%20which%20should%20trigger%20an%20alert%20but%20nothing%20happens.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hi all

 

I have been trying to trigger an event to determine whether the sensor is creating the alert I expect to see. To do this I added about 5 random accounts to my Domain Admins group (yes, this is test environment). I'm not seeing any alerts. I would expect this event to trigger the "Suspicious additions to sensitive groups" alert, but I get nothing.

 

I've configured auditing per the guidance from Microsoft and I can see the Audit Event ID 4728 being generated in the Security log.

 

Any thoughts on this? I am seeing other alerts, so I know the sensors are working generally.

 

Thanks

Tony

3 Replies

@murrato1 I am receiving the same issue. I have added accounts to the domain admins group which should trigger an alert but nothing happens.  

@murrato1 Adding @Daniel Naim 

Hi @murrato1 

 

We have the same issue.  Are you aware of the fact that this Alert has a learning period of four weeks since the first event was logged? 

Microsoft Defender for Identity domain dominance security alerts | Microsoft Docs

 

If you found any solutions meanwhile it would be great if you can share it. 

 

best regards