Managed Sentinel – Alert 082

Alert IDMS-A082
Alert NamePreviously disabled accounts becoming active
DescriptionThis alerts is triggered whenever a previously disabled Windows account is reactivated.
Severity LevelHigh
Threat IndicatorRoot Access
MITRE ATT&CK TacticsPrivilege Escalation
Credential Access
Log sourcesWindows Security Event Logs
Recommendations1. Disable user account.
2. Complete an investigation in Azure Sentinel to understand any access from impacted user account to other internal network systems.
3. Review log history on Windows AD to find out the adminsitrator who reactivated the user account