Managed Sentinel – Alert 082

Alert IDMS-A082
Alert NamePreviously disabled accounts becoming active
DescriptionThis alerts is triggered whenever a previously disabled Windows account is reactivated.
Severity LevelHigh
Threat IndicatorRoot Access
MITRE ATT&CK TacticsPrivilege Escalation
Credential Access
Log sourcesWindows Security Event Logs
RecommendationsDisable user account. Use Azure Sentinel to query and report all access from affected user account to other internal resources.