Managed Sentinel – Alert 091

Alert IDMS-A091
Alert NameGroup recently created was added to a privileged built-in group
DescriptionA Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsLateral Movement
Log sourcesWindows Information Event Logs
False PositivesApproved/sanctioned change. Newly installed application which requires elevated access into AD domain.
Recommendations1. Review the change management history and validate if this is an approved change
2. Remove account from elevated group
3. Review AD logs to identify additional activities under this account name.