Managed Sentinel – Alert 089

Alert IDMS-A089
Alert NameWindows privilege account(s) password changed on critical servers
DescriptionThis alert is triggered whenever an administrator account password is changed on a specific server.
Customer to provide a list of critical server which will be monitored.
Severity LevelMedium
Threat IndicatorRoot Access
MITRE ATT&CK TacticsInitial Access
Privilege Escalation
Credential Access
Log sourcesWindows Security Event Logs
False PositiveService outsourcing related events
RecommendationsDisable user account. Use Azure Sentinel to query and report all access from affected user account to other internal resources (lateral movement).