Detects and alerts on a local user account creation on Windows servers, which shouldn't happen in an Active Directory environment.
MITRE ATT&CK Tactics
1. Domain Controller Logs
2. Local accounts managed by privileged account management tools
1. Collect evidence of the changes in the Windows environment related to the local account name created
2. Engage your Windows support team and validate if the account creation action is legitimate
3. If not, immediately disable the local Windows account
4. Investigate via Azure Sentinel for any lateral movements within your network using the account name. Understand and validate what or if any other changes were done during the time interval when the account was active in your internal network.
5. Perform an EDR scan on the impacted host