Managed Sentinel – Alert 129
| Alert ID | MS-A129 |
| Alert Name | Users added to privileged domain groups |
| Description | Identifies when a user account was created and then added to the builtin Administrators group in the same day. |
| Severity Level | Medium |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Privilege Escalation |
| Log sources | Windows Security Event Log |
| False Positive | Service outsourcing |
| Recommendations | 1. Review the user account(s) which has been added to the privileged domain groups and identify the account owners. 2. Confirm if the request is valid. If not, disable the accounts immediately and start an investigation to review account activity into your environment. |