We'd like to see the EDR produce an alert whenever a 'high value' account has it's password changed - to give a specific example the Kerberos Golden Ticket 'krbtgt' account. We've see that a rival XDR platform was able to flag this when we were rotating the password for this account.

As an extension to this (and as has been mentioned on another request), any actions against 'high value' users or groups should be flagged e.g. adding or removing users from administrator-level groups which would be a pre-cursor to lateral movement attacks.