Creation and modification of a Windows privileged account
This alert triggers when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins.
MITRE ATT&CK Tactics
Migration of an account into a new domain
1. If change is not linked with an approved internal event (subject to organization's change management process), reverse the change in Active Directory domain.
2. Use Azure Sentinel to query, analyse and report any network access from affected user account to other internal resources (lateral movement).