This alerts is triggered whenever a previously disabled Windows account is reactivated.
MITRE ATT&CK Tactics
Windows Security Event Logs
1. Disable user account.
2. Complete an investigation in Azure Sentinel to understand any access from impacted user account to other internal network systems.
3. Review log history on Windows AD to find out the adminsitrator who reactivated the user account