-
Book Overview & Buying
-
Table Of Contents
-
Feedback & Rating

Effective Threat Investigation for SOC Analysts
By :

Microsoft records several events that allow you to track account and security group management activities such as account creation, account deletion, account disablement, group creation, adding and removing accounts from security groups, and changes made to accounts. Such events allow you to detect and investigate several suspicious account and group management activities, including accounts being created by an attacker to maintain persistence in the environment, accounts being created by unauthorized users, unexpected accounts being added to a privileged security group, unexpected account deletion and changes, and account and group management activities outside of working hours.
For a better explanation of the Windows account and security group management tracking events, we will divide this section into two subsections:
Change the font size
Change margin width
Change background colour