Working with sensitive accounts
The following list of groups are considered Sensitive by Azure ATP. Any entity that is a member of one of these groups is considered sensitive:
Network Configuration Operators
Incoming Forest Trust Builders
Group Policy Creator Owners
read-only Domain Controllers
Enterprise Read-only Domain Controllers
Microsoft Exchange Servers
Until September, 2018, Remote Desktop Users were also automatically considered Sensitive by Azure ATP. Remote Desktop entities or groups added after this date are no longer automatically marked as sensitive while Remote Desktop entities or groups added before this date may remain marked as Sensitive. This Sensitive setting can now be changed manually.
Tagging sensitive accounts
In addition to these groups, you can manually tag groups or accounts as sensitive to enhance detections. This is important because Some Azure ATP detections, such as sensitive group modification detection and lateral movement paths, rely on which groups and accounts are considered sensitive. You can manually tag other users or groups as sensitive, such as board members, company executives, director of sales, etc., and Azure ATP considers them sensitive.
In the Azure ATP portal, click the Configuration cog in the menu bar.
Under Detection click Entity tags.
In the Sensitive section, type the name of the Sensitive accounts and Sensitive groups and then click + sign to add them.
Send feedback about: