Managed Sentinel – Alert 015
|Alert Name||Creation and modification of a Windows privileged account|
|Description||This alert triggers when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins.|
|Threat Indicator||Root Access|
|MITRE ATT&CK Tactics||Persistence|
|False Positive||Migration of an account into a new domain|
|Recommendations||1. If change is not linked with an approved internal event (subject to organization's change management process), reverse the change in Active Directory domain. |
2. Use Azure Sentinel to query, analyse and report any network access from affected user account to other internal resources (lateral movement).