Managed Sentinel – Alert 129

Alert IDMS-A129
Alert NameUsers added to privileged domain groups
DescriptionIdentifies when a user account was created and then added to the builtin Administrators group in the same day.
Severity LevelMedium
Threat IndicatorRoot Access
MITRE ATT&CK TacticsPrivilege Escalation
Log sourcesWindows Security Event Log
False PositiveService outsourcing
Recommendations1. Review the user account(s) which has been added to the privileged domain groups and identify the account owners.
2. Confirm if the request is valid.
If not, disable the accounts immediately and start an investigation to review account activity into your environment.