This alert notifies a Windows server is restarted.
Customer to provide a list of critical servers to be included in this alert.
MITRE ATT&CK Tactics
Windows Information Event Logs
Planned change management window
Investigate if the server reboot was done via a planned and approved changed window. If not, search Windows Security Logs for last login account and collect data about the suspected user account.
Perform a general query in Sentinel to identify any potential lateral movements from this account.