Managed Sentinel – Alert 129

Alert IDMS-A129
Alert NameUsers added to privileged domain groups
DescriptionThis alert triggers when a user is added a a privileged group such as Domain Admins. This is an unusual event and it may indicate a malicious actor attempting to escalate Windows event ID 1102 is logged whenever the Security log is cleared, regardless of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log.
Severity LevelMedium
Threat IndicatorRoot Access
MITRE ATT&CK TacticsPrivilege Escalation
Log sourcesWindows Security Event Log
False PositiveService outsourcing
RecommendationsReview the user accounts which have been added to the privileged domain groups and identify the account owners. Confirm if the request is valid.
If not, disable the accounts immediately and start an investigation for discovery of account use into your organization.