Tag sensitive accounts
Applies to: Advanced Threat Analytics version 1.9
You can manually tag groups or accounts as sensitive to enhance detections. It is important to make sure this is updated because some ATA detections, such as sensitive group modification detection and lateral movement path, rely on which groups and accounts are considered sensitive. Previously, ATA automatically considered an entity sensitive if it was a member of a specific list of groups. You can now manually tag other users or groups as sensitive, such as board members, company executives, director of sales, etc., and ATA will consider them sensitive.
In the ATA console, click the Configuration cog in the menu bar.
Under Detection, click Entity tags.
In the Sensitive section, type the name of the Sensitive accounts and Sensitive groups and then click + sign to add them.
Click Save.
Go to the entity profile page by clicking on the entity name. Here you will be able to see why the entity is considered sensitive - whether it is because of membership in a group or because of manual tagging as sensitive.
Sensitive groups
The following list of groups are considered Sensitive by ATA. Any entity that is a member of these groups is considered sensitive:
- Administrators
- Power Users
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Replicators
- Remote Desktop Users
- Network Configuration Operators
- Incoming Forest Trust Builders
- Domain Admins
- Domain Controllers
- Group Policy Creator Owners
- read-only Domain Controllers
- Enterprise Read-only Domain Controllers
- Schema Admins
- Enterprise Admins