Managed Sentinel – Alert 101
|Alert Name||Suspicious high privilege account login failure on Windows systems|
|Description||This will alert on x login failure attempts within predefined timelines and correlate with a customer's provided list of accounts.|
|Threat Indicator||Root Access|
|MITRE ATT&CK Tactics||Initial Access|
|Log sources||Windows Security Event Logs|
|Recommendations||1. Disable user account or change user account password. |
2. Use Azure Sentinel to investigate any suspicious access from affected user account to other internal resources (lateral movement).
3. Investigate source host from where the login attempt was tried.
4. Perform an Azure Sentinel investigation for this entity (IP address related to the attacker)