MS ALERTS SUMMARY
SENTINEL KQL UTILITIES
Managed Sentinel – Alert 091
Group recently created was added to a privileged built-in group
A Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins.
MITRE ATT&CK Tactics
Windows Information Event Logs
Approved/sanctioned change. Newly installed application which requires elevated access into AD domain.
1. Review the change management history and validate if this is an approved change
2. Remove account from elevated group
3. Review AD logs to identify additional activities under this account name.
Share this entry
Share on Facebook
Share on Twitter
Share on Linkedin
Share on Tumblr
Share by Mail
Scroll to top