MDI alerts have a number of different learning periods, and each is well documented. However, there is not a single list of all the alerts that have learning periods for easy reference, so I have created and will update this list.
| Alert Category | Alert | External ID | Learning Period | Learning Period Notes |
|---|---|---|---|---|
| Reconnaissance alerts | Network-mapping reconnaissance (DNS) | 2007 | 8 Days | Beginning when the domain controller is becomes monitored |
| Lateral Movement | Suspected over-pass-the-hash attack (forced encryption type) | 2008 | 1 Month | |
| Domain Dominance Alerts | Suspected Golden Ticket usage (encryption downgrade) | 2009 | 5 Days | From the start of domain controller monitoring |
| Reconnaissance alerts | User and Group membership reconnaissance (SAMR) | 2021 | 4 Weeks | Per domain controller starting from the first network activity of SAMR against the DC |
| Compromised Credential Alerts | Suspected Brute Force attack (Kerberos, NTLM) | 2023 | 1 Week | |
| Domain Dominance Alerts | Suspicious additions to sensitive groups | 2024 | 4 Weeks | Per Domain Controller starting from the first event |
| Compromised Credential Alerts | Suspicious VPN Connection | 2025 | 30 Days | From the first VPN connection, and at least 5 VPN connections in the last 30 days, per user |
| Reconnaissance alerts | Security principal reconnaissance (LDAP) | 2038 | 15 Days | Per computer, starting from the first event, observed from the machine |
You can find a complete list of all MDI alerts here.
This table was last updated on Aug 29th 2024.
Aug 29th 2024 Updates:
- Added Alert Suspected over-pass-the-hash attack (forced encryption type) to table.
Feb 1st 2024 Updates:
- Re-order based on the External ID value so this will be easier to track against the list of MDI alerts
- No alerts with learning periods added
- No learning period changes made
Dec 6th 2023 Updates:
- Learning period reviewed no changes