Local user enumeration via SAMR

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-27

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Account Discovery: Local Account (T1087.001)
Severity	Informational

A user enumerated local users via SAMR.

An adversary may leverage local user discovery to identify privileged users and escalate privileges.

Determine the user, hostname, and process that performed the user enumeration.
Inspect process, command-line arguments or scripts used.
Check for any privilege escalation or lateral movement attempts from the source system.
Check if the tool used to enumerate the local users is a known or an approved tool.
Review the logs for suspicious activity from the same host or user.

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Account Discovery: Local Account (T1087.001)
Severity	Low

A user enumerated local users via SAMR.

An adversary may leverage local user discovery to identify privileged users and escalate privileges.

Determine the user, hostname, and process that performed the user enumeration.
Inspect process, command-line arguments or scripts used.
Check for any privilege escalation or lateral movement attempts from the source system.
Check if the tool used to enumerate the local users is a known or an approved tool.
Review the logs for suspicious activity from the same host or user.