MDI Learning Periods

MDI alerts have a number of different learning periods, and each is well documented. However, there is not a single list of all the alerts that have learning periods for easy reference, so I have created and will update this list.

Alert Category Alert External ID Learning Period Learning Period Notes
Reconnaissance alerts Network-mapping reconnaissance (DNS) 2007 8 Days Beginning when the domain controller is becomes monitored
Reconnaissance alerts Security principal reconnaissance (LDAP) 2038 15 Days Per computer, starting from the first event, observed from the machine
Reconnaissance alerts User and Group membership recon (SAMR) 2021 4 Weeks Per domain controller starting from the first network activity of SAMR against the DC
Compromised Credential Alerts Suspected Brute Force attack (Kerberos, NTLM) 2023 1 Week  
Compromised Credential Alerts Suspicious VPN Connection 2025 30 Days From the first VPN connection, and at least 5 VPN connections in the last 30 days, per user
Domain Dominance Alerts Suspected Golden Ticket usage (encryption downgrade) 2009 5 Days From the start of domain controller monitoring
Domain Dominance Alerts Suspicious additions to sensitive groups 2024 4 Weeks Per Domain Controller starting from the first event

This table was last updated on March 8th 2022

Share Post
Follow Me