Managed Sentinel – Alert 147
| Alert ID | MS-A147 |
| Alert Name | Local Windows user account creation |
| Description | Detects and alerts on a local user account creation on Windows servers, which shouldn't happen in an Active Directory environment. |
| Severity Level | Low |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Persistence |
| Log sources | Windows |
| False Positives | 1. Domain Controller Logs 2. Local accounts managed by privileged account management tools |
| Recommendations | 1. Collect evidence of the changes in the Windows environment related to the local account name created 2. Engage your Windows support team and validate if the account creation action is legitimate 3. If not, immediately disable the local Windows account 4. Investigate via Azure Sentinel for any lateral movements within your network using the account name. Understand and validate what or if any other changes were done during the time interval when the account was active in your internal network. 5. Perform an EDR scan on the impacted host |