Managed Sentinel – Alert 091

Alert IDMS-A091
Alert NameCritical Windows server restarted
DescriptionThis alert notifies a Windows server is restarted.

Customer to provide a list of critical servers to be included in this alert.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Log sourcesWindows Information Event Logs
False PositivesPlanned change management window
RecommendationsInvestigate if the server reboot was done via a planned and approved changed window. If not, search Windows Security Logs for last login account and collect data about the suspected user account.
Perform a general query in Sentinel to identify any potential lateral movements from this account.