Aug 15 2021 08:54 PM
Hi all
I have been trying to trigger an event to determine whether the sensor is creating the alert I expect to see. To do this I added about 5 random accounts to my Domain Admins group (yes, this is test environment). I'm not seeing any alerts. I would expect this event to trigger the "Suspicious additions to sensitive groups" alert, but I get nothing.
I've configured auditing per the guidance from Microsoft and I can see the Audit Event ID 4728 being generated in the Security log.
Any thoughts on this? I am seeing other alerts, so I know the sensors are working generally.
Thanks
Tony
Aug 20 2021 09:00 AM
@murrato1 I am receiving the same issue. I have added accounts to the domain admins group which should trigger an alert but nothing happens.
Nov 26 2021 07:46 AM
Hi @murrato1
We have the same issue. Are you aware of the fact that this Alert has a learning period of four weeks since the first event was logged?
Microsoft Defender for Identity domain dominance security alerts | Microsoft Docs
If you found any solutions meanwhile it would be great if you can share it.
best regards