MDI Learning Periods

Tue Mar 08, 22 | | MDI | Identity | Microsoft

MDI alerts have a number of different learning periods, and each is well documented. However, there is not a single list of all the alerts that have learning periods for easy reference, so I have created and will update this list.

Alert Category Alert External ID Learning Period Learning Period Notes
Reconnaissance alerts Network-mapping reconnaissance (DNS) 2007 8 Days Beginning when the domain controller is becomes monitored
Domain Dominance Alerts Suspected Golden Ticket usage (encryption downgrade) 2009 5 Days From the start of domain controller monitoring
Reconnaissance alerts User and Group membership reconnaissance (SAMR) 2021 4 Weeks Per domain controller starting from the first network activity of SAMR against the DC
Compromised Credential Alerts Suspected Brute Force attack (Kerberos, NTLM) 2023 1 Week  
Domain Dominance Alerts Suspicious additions to sensitive groups 2024 4 Weeks Per Domain Controller starting from the first event
Compromised Credential Alerts Suspicious VPN Connection 2025 30 Days From the first VPN connection, and at least 5 VPN connections in the last 30 days, per user
Reconnaissance alerts Security principal reconnaissance (LDAP) 2038 15 Days Per computer, starting from the first event, observed from the machine

You can find a complete list of all MDI alerts here.

This table was last updated on Feb 1st 2023.


Feb 1st 2023 Updates:

  • Re-order based on the External ID value so this will be easier to track against the list of MDI alerts
  • No alerts with learning periods added
  • No learning period changes made

Dec 6th 2023 Updates:

  • Learning period reviewed no changes