Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sensitive groups

Brass Contributor

Has anyone managed to get anything meaningful from Sensitive Groups ?  I thought the intent was to "monitor" those groups for membership changes.  I have pushed and pulled users in and out of groups (say, Domain Admins) and I never get notified of anything !

16 Replies

This detector needs a  learning period before it is active.

How long is the system deployed with this version?

 

At least 8 weeks. What actually is the detector learning ?  "Normal" modifications by expected admins or other sensitive users ?

Generally yes,

wait for 2-3 more weeks, then to invoke the alert, try to modify a sensitive group using an account that does not normally do it...

Hi Stuart, 

 

There is a report that will show you all of the sensitive group modifications. Can you run this report and see if it has the modifications you did recently? 

 

Thanks

Gershon

The group in question (as a test) was not one that normally gets modified at all....in fact it has probably not been modified for 12 months, by anyone previously.

 

Yes, was aware of the report.....and there is NOTHING at all in the report, which actually would be more useful to me than a console alert.  Why would it not show in the report ?  Yes, auditing for group membership is nabbed, and yes, it shows on the event log.

Which domain group was it?

Keep in mind that in 1.8.* we are using a closed list of groups defined as sensitive.

in future version you will be able to tag yourself which groups are sensitive for you.

?? But we are talking ATP here, not ATA. There is already a list of sensitive groups that you can choose to "monitor", and whilst I have added things like Domain Admins and Enterprise Admins (which get changed very infrequently), I added a test group so we could see that the report and behaviour was like. Whilst I have not tried removing or adding folks to DA and EA (our auditors would not be happy with that, and I am not about to raise a change record just for that), it should certainly evaluate the group I have added, surely ?

Sorry, got confused with another thread.

in AATP, you can tag the entities, so it seems you gap is that you need to have at least 10 weeks of learning period.

10 weeks of learning, for what exactly ? To say that someone "unusual" has modified the group membership ? If this is 10 weeks to appear in the report, is pretty useless, don't you think ?  What would be the point of that ?

Yes and No.

Unlike ATA which can alert for abnormal modifications, and report on all modifications,

AATP (for now) can alert for abnormal modifications too (with the same 10 weeks learning period), but it's report will only report on previously alerted modifications, and not all of them like in ATA.

So.. if you wait 2 more weeks, and use an account that did not modify the tagged group during the learning period, you should see an alert...

Hi Stuart,

 

We've reviewed the sensitive groups report and I'm pleased to let you know that all changes to the sensitive groups will now be included in the report (not just the anomalies). We expect to release the code to enable this in our next update cycle on Sunday February 18th.

Did this make it in, as it does not seem to be working ?

 

Repro:

Add group to entity list

Schedule a report for sensitive groups(daily)

wait a few hours

add some random user to group

await next daily report to show said user was added

 

Is my expectation correct ?

Hi Stuart,
Can you make sure that the Group Events are logged?
To turn them on, please do the following:

  1. On the DC,  open gpme.msc.
  2. Navigate to : Domain Controllers.<domain name> --> Default Domain Controllers Policy.
  3. In that policy, navigate to the following path to configure the DC for those event auditing:
  4. Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Audit Policy
  5. Set the following values to "Success,Failure" :
    + Audit Account logon events
    + Audit account management
    + Audit directory service access
    + Audit logon events
  6. gpupdate. 

After that, please do the group changes in the AD. You can make sure the events are created by opening the Event Viewer (Windows Logs -> Security)

Finally, try to download the report.

 

If it won't work, please PM me your workspace ID (and name) and the time range (UTC) of the group members change.

 

Thanks,

Gal

 

In the Azure ATP console can you see the changes in the entity profile(s) of the objects in questions? 

 

group change modifications.jpg

The report works fine and Stuart got a report with attached file few days ago.

 

Few things to clarify regarding the detector (i.e., when the Security Alert will be triggered and will be seen in the Timeline):

  • There is a learning period of 4 weeks on each DC, starting from the first group membership change (add) event.
  • The admin didn’t make any change to any group on any DC during the last 10 weeks.
  • Only on adding members to a group (events 4728, 4732, 4756).
  • Only on sensitive group changes.

@Gal Bruchim @Eli Ofek I'm in a similar situation so I have some questions to clarify me the detector behaviour:

- if the group (i.e. Domain Admins) is modified always by the same account no alert is triggered, if another user modify the group membership I receive the alert. Is this correct?

- The learning period (4 weeks) starts from the first group membership change (add) event after the sensor installation. Is this correct?

- could you explain me better "The admin didn’t make any change to any group on any DC during the last 10 weeks."?

 

Thanks a lot

Mike