Managed Sentinel – Alert 101

Alert IDMS-A101
Alert NameSuspicious high privilege account login failure on Windows systems
DescriptionThis will alert on x login failure attempts within predefined timelines and correlate with a customer's provided list of accounts.
Severity LevelLow
Threat IndicatorRoot Access
MITRE ATT&CK TacticsInitial Access
Privilege Escalation
Credential Access
Log sourcesWindows Security Event Logs
False PositiveUnknown
Recommendations1. Disable user account or change user account password.
2. Use Azure Sentinel to investigate any suspicious access from affected user account to other internal resources (lateral movement).
3. Investigate source host from where the login attempt was tried.
4. Perform an Azure Sentinel investigation for this entity (IP address related to the attacker)