Managed Sentinel – Alert 091
| Alert ID | MS-A091 |
| Alert Name | Group recently created was added to a privileged built-in group |
| Description | A Group created in the last 7 days was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. |
| Severity Level | Medium |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Lateral Movement |
| Log sources | Windows Information Event Logs |
| False Positives | Approved/sanctioned change. Newly installed application which requires elevated access into AD domain. |
| Recommendations | 1. Review the change management history and validate if this is an approved change 2. Remove account from elevated group 3. Review AD logs to identify additional activities under this account name. |