Admin Event

An admin event can be classified as any addition, deletion, or modification to enterprise hardware or software that a high privilege account would make. These changes can seriously impact or influence the way the network or environment functions.

Only approved staff members should be performing these actions, if they are not and a suspected malicious event is attributed to them a full incident response investigation should follow.

Examples include the changing of: routing, admin account creation or deletion, DNS zones, AD schema, and remote access permissions.