Managed Sentinel – Alert 142

Alert IDMS-A142
Alert NameUser account created and deleted within x mins
DescriptionIdentifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsPersistence
Privilege Escalation
Log sourcesWindows
False PositivesApproved Operational change or a DEV/UAT testing
Recommendations1. Collect evidence of the changes in the Windows environment related to the account name created and then deleted.
2. Investigate via Azure Sentinel for any lateral movements within your network using the account name. Understand and validate what or if any other changes were done during the timeframe when the account was active into your network.
3. Identify the originator host from where the change was done
4. Perform an EDR scan on the impacted host