Forum Discussion

StuartH .'s avatar
StuartH .
Brass Contributor
Jan 26, 2018

Sensitive groups

Has anyone managed to get anything meaningful from Sensitive Groups ?  I thought the intent was to "monitor" those groups for membership changes.  I have pushed and pulled users in and out of groups ...
Gal Bruchim's avatar
Gal Bruchim
Icon for Microsoft rankMicrosoft
Feb 25, 2018

The report works fine and Stuart got a report with attached file few days ago.

 

Few things to clarify regarding the detector (i.e., when the Security Alert will be triggered and will be seen in the Timeline):

  • There is a learning period of 4 weeks on each DC, starting from the first group membership change (add) event.
  • The admin didn’t make any change to any group on any DC during the last 10 weeks.
  • Only on adding members to a group (events 4728, 4732, 4756).
  • Only on sensitive group changes.
Michele D'Angelantonio's avatar
Michele D'Angelantonio
Copper Contributor
Jul 09, 2020

Gal Bruchim EliOfek I'm in a similar situation so I have some questions to clarify me the detector behaviour:

- if the group (i.e. Domain Admins) is modified always by the same account no alert is triggered, if another user modify the group membership I receive the alert. Is this correct?

- The learning period (4 weeks) starts from the first group membership change (add) event after the sensor installation. Is this correct?

- could you explain me better "The admin didn’t make any change to any group on any DC during the last 10 weeks."?

 

Thanks a lot

Mike