Managed Sentinel – Alert 015
| Alert ID | MS-A015 |
| Alert Name | Creation and modification of a Windows privileged account |
| Description | This alert triggers when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. |
| Severity Level | Low |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Persistence Privilege Escalation |
| Log sources | Windows |
| False Positive | Migration of an account into a new domain |
| Recommendations | 1. If change is not linked with an approved internal event (subject to organization's change management process), reverse the change in Active Directory domain. 2. Use Azure Sentinel to query, analyse and report any network access from affected user account to other internal resources (lateral movement). |