Managed Sentinel – Alert 121
| Alert ID | MS-A121 |
| Alert Name | Add + Delete account from a privileged group within a short time frame |
| Description | Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise. |
| Severity Level | Low |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Persistence Privilege Escalation |
| Log sources | Windows |
| False Positives | Approved changes as part of UAT/DEV testing |
| Recommendations | 1. Collect evidence of the changes in the Windows environment related to the account name created and then deleted. 2. Investigate via Azure Sentinel for any lateral movements within your network using the account name. Understand and validate what or if any other changes were done during the timeframe when the account was active into your network. 3. Identify the originator host from where the change was done 4. Perform an EDR scan on the impacted host |