Managed Sentinel – Alert 129
|Alert Name||Users added to privileged domain groups|
|Description||Identifies when a user account was created and then added to the builtin Administrators group in the same day.|
|Threat Indicator||Root Access|
|MITRE ATT&CK Tactics||Privilege Escalation|
|Log sources||Windows Security Event Log|
|False Positive||Service outsourcing|
|Recommendations||1. Review the user account(s) which has been added to the privileged domain groups and identify the account owners. |
2. Confirm if the request is valid.
If not, disable the accounts immediately and start an investigation to review account activity into your environment.