Managed Sentinel – Alert 147

Alert IDMS-A147
Alert NameLocal Windows user account creation
DescriptionDetects and alerts on a local user account creation on Windows servers, which shouldn't happen in an Active Directory environment.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsPersistence
Log sourcesWindows
False Positives1. Domain Controller Logs
2. Local accounts managed by privileged account management tools
Recommendations1. Collect evidence of the changes in the Windows environment related to the local account name created
2. Engage your Windows support team and validate if the account creation action is legitimate
3. If not, immediately disable the local Windows account
4. Investigate via Azure Sentinel for any lateral movements within your network using the account name. Understand and validate what or if any other changes were done during the time interval when the account was active in your internal network.
5. Perform an EDR scan on the impacted host