Managed Sentinel – Alert 015

Alert IDMS-A015
Alert NameCreation and modification of a Windows privileged account
DescriptionThis alert triggers when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins.
Severity LevelLow
Threat IndicatorRoot Access
MITRE ATT&CK TacticsPersistence
Privilege Escalation
Log sourcesWindows
False PositiveMigration of an account into a new domain
Recommendations1. If change is not linked with an approved internal event (subject to organization's change management process), reverse the change in Active Directory domain.
2. Use Azure Sentinel to query, analyse and report any network access from affected user account to other internal resources (lateral movement).