Merge pull request #2027 from MicrosoftDocs/main

Publish main to live, 11/27, 11:00 AM IST

Author: aditisrivastava07

ATPDocs/accounts-with-non-default-pgid.md

@@ -0,0 +1,42 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: 'Security Assessment: Accounts with non-default Primary Group ID'
+description: This recommendation lists all computers and users accounts whose primaryGroupId (PGID) attribute is not the default for domain users and computers in Active Directory. 
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     10/05/2024
+---
+
+# Security Assessment: Accounts with non-default Primary Group ID
+
+  
+This recommendation lists all computers and users accounts whose primaryGroupId (PGID) attribute is not the default for domain users and computers in Active Directory. 
+
+## Organization risk
+
+The primaryGroupId attribute of a user or computer account grants implicit membership to a group. Membership through this attribute does not appear in the list of group members in some interfaces. This attribute may be used as an attempt to hide group membership. It might be a stealthy way for an attacker to escalate privileges without triggering normal auditing for group membership changes. 
+
+## Remediation steps 
+
+1. Review the list of exposed entities to discover which of your accounts have a suspicious primaryGroupId.  
+
+1. Take appropriate action on those accounts by resetting their attribute to their default values or adding the member to the relevant group:  
+
+  - User accounts: 513 (Domain Users) or 514 (Domain Guests);  
+    
+  - Computer accounts: 515 (Domain Computers);  
+  
+  - Domain controller accounts: 516 (Domain Controllers);  
+  
+  - Read-only domain controller (RODC) accounts: 521 (Read-only Domain Controllers).
+  
+
+## Next steps
+
+- [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+

ATPDocs/advanced-settings.md

@@ -0,0 +1,83 @@
+---
+title: Adjust alert thresholds | Microsoft Defender for Identity
+description: Learn how to configure the number of Microsoft Defender for Identity alerts triggered of specific alert types by adjusting alert thresholds.
+ms.date: 02/11/2024
+ms.topic: how-to
+#CustomerIntent: As a Microsoft Defender for Identity customer, I want to reduce the number of false positives by adjusting thresholds for specific alerts.
+---
+
+# Adjust alert thresholds
+
+This article describes how to configure the number of false positives by adjusting thresholds for specific Microsoft Defender for Identity alerts.
+
+Some Defender for Identity alerts rely on *learning periods* to build a profile of patterns, and then distinguish between legitimate and suspicious activities. Each alert also has specific conditions within the detection logic to help distinguish between legitimate and suspicious activities, such as alert thresholds and filtering for popular activities. 
+
+Use the **Adjust alert thresholds** page to customize the threshold level for specific alerts to influence their alert volume. For example, if you're running comprehensive testing, you might want to lower alert thresholds to trigger as many alerts as possible.
+
+Alerts are always triggered immediately if the **Recommended test mode** option is selected, or if a threshold level is set to **Medium** or **Low**, regardless of whether the alert's learning period has already completed.
+
+> [!NOTE]
+> The **Adjust alert thresholds** page was previously named **Advanced settings**. For details about this transition and how any previous settings were retained, see our [What's New announcement](whats-new.md#enhanced-user-experience-for-adjusting-alert-thresholds-preview).
+
+## Prerequisites
+
+To view the **Adjust alerts thresholds** page in Microsoft Defender XDR, you need access at least as a *Security viewer*.
+
+To make changes on the **Adjust alerts thresholds** page, you need access at least as a *Security administrator*.
+
+## Define alert thresholds
+
+We recommend changing alert thresholds from the default (**High**) only after careful consideration. 
+
+For example, if you have NAT or VPN, we recommend that you consider any changes to relevant detections carefully, including *Suspected DCSync attack (replication of directory services)* and *Suspected identity theft* detections.
+
+**To define your alert thresholds**:
+
+1. In [Microsoft Defender XDR](https://security.microsoft.com), go to **Settings** > **Identities** > **Adjust alert thresholds**.
+
+    :::image type="content" source="media/whats-new/adjust-alert-thresholds.png" alt-text="Screenshot of the new Adjust alert thresholds page." lightbox="media/whats-new/adjust-alert-thresholds.png":::
+
+1. Locate the alert where you want to adjust the alert threshold and select the threshold level you want to apply.
+
+    - **High** is the default value, and applies standard thresholds to reduce false positives. 
+    - **Medium** and **Low** thresholds increase the number of alerts generated by Defender for Identity.
+
+    When you select **Medium** or **Low**, details are bolded in the **Information** column to help you understand how the change affects the alert behavior.
+
+1. Select **Apply changes** to save changes.
+
+Select **Revert to default** and then **Apply changes** to reset all alerts to the default threshold (**High**). Reverting to default is irreversible and any changes made to your threshold levels are lost.
+
+## Switch to test mode
+
+The **Recommended test mode** option is designed to help you understand all Defender for Identity alerts, including some related to legitimate traffic and activities so that you can thoroughly evaluate Defender for Identity as efficiently as possible.
+
+If you recently deployed Defender for Identity and want to test it, select the **Recommended test mode** option to switch all alert thresholds to **Low** and increase the number of alerts triggered. 
+
+Threshold levels are read-only when the **Recommended test mode** option is selected. When you're finished testing, toggle the **Recommended test mode** option back off to return to your previous settings.
+
+Select **Apply changes** to save changes.
+
+## Supported detections for threshold configurations
+
+The following table describes the types of detections that support adjustments for threshold levels, including the effects of **Medium** and **Low** thresholds.
+
+Cells marked with N/A indicate that the threshold level is not supported for the detection
+
+| Detection | Medium | Low |
+| --- | --- | --- |
+| **[Security principal reconnaissance (LDAP)](credential-access-alerts.md#security-principal-reconnaissance-ldap-external-id-2038)** | When set to **Medium**, this detection triggers alerts immediately, without waiting for a learning period, and also disables any filtering for popular queries in the environment.| When set to **Low**, all support for the **Medium** threshold applies, plus a lower threshold for queries, single scope enumeration, and more. |
+| **[Suspicious additions to sensitive groups](persistence-privilege-escalation-alerts.md#suspicious-additions-to-sensitive-groups-external-id-2024)** |N/A | When set to **Low**, this detection avoids the sliding window and ignores any previous learnings. |
+| **[Suspected AD FS DKM key read](credential-access-alerts.md#suspected-ad-fs-dkm-key-read-external-id-2413)** |  N/A | When set to **Low**, this detection triggers immediately, without waiting for a learning period. |
+| **[Suspected Brute Force attack (Kerberos, NTLM)](credential-access-alerts.md#suspected-brute-force-attack-kerberos-ntlm-external-id-2023)** | When set to **Medium**, this detection ignores any learning done and has a lower threshold for failed passwords. | When set to **Low**, this detection ignores any learning done and has the lowest possible threshold for failed passwords. |
+| **[Suspected DCSync attack (replication of directory services)](credential-access-alerts.md#suspected-dcsync-attack-replication-of-directory-services-external-id-2006)** | When set to **Medium**, this detection triggers immediately, without waiting for a learning period. | When set to **Low**, this detection triggers immediately, without waiting for a learning period, and avoids IP filtering like NAT or VPN. |
+| **[Suspected Golden Ticket usage (forged authorization data)](credential-access-alerts.md#suspected-golden-ticket-usage-forged-authorization-data-external-id-2013)** | N/A| When set to **Low**, this detection triggers immediately, without waiting for a learning period. |
+| **[Suspected Golden Ticket usage (encryption downgrade)](persistence-privilege-escalation-alerts.md#suspected-golden-ticket-usage-encryption-downgrade-external-id-2009)** | N/A| When set to **Low**, this detection triggers an alert based on lower confidence resolution of a device. |
+| **[Suspected identity theft (pass-the-ticket)](lateral-movement-alerts.md#suspected-identity-theft-pass-the-ticket-external-id-2018)** | N/A | When set to **Low**, this detection triggers immediately, without waiting for a learning period, and avoids IP filtering like NAT or VPN. |
+| **[User and Group membership reconnaissance (SAMR)](reconnaissance-discovery-alerts.md#user-and-group-membership-reconnaissance-samr-external-id-2021)** | When set to **Medium**, this detection triggers immediately, without waiting for a learning period. | When set to **Low**, this detection triggers immediately and includes a lower alert threshold. |
+
+For more information, see [Security alerts in Microsoft Defender for Identity](alerts-overview.md).
+
+## Next step
+
+For more information, see [Investigate Defender for Identity security alerts in Microsoft Defender XDR](manage-security-alerts.md).