Detect Privilege Escalation for Local Groups


Performing IDR tuning and noticed that when performing Privilege Escalation for local groups (Print Operators, Backup Operators, Built-in Administrators) we are not receiving alerts. Is this expected behavior?


@heath_higgins we have an alert named

Account Privilege Escalated, have you verified that this is set to Alert?

Screen Shot 2021-11-04 at 10.45.08 AM


@david_smith - yes it is enabled and works when escalating against privileged domain groups. it does not work on local privileged groups.

@heath_higgins do you see the log events in AD Admin activity when these actions are taken?