Managed Sentinel – Alert 109

Alert IDMS-A109
Alert NameTracking Privileged Account Rare Activity
DescriptionThis query will determine rare activity by a high-value account carried out on a system or service. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. If any account with such rare activity is found, the query will attempt to retrieve related activity from that account on that same day and summarize the information.
Source: Github - Microsoft
Severity LevelInformational
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsPrivilege Escalation
Discovery
Log sourcesWindows Security Event Logs
Unix
False PositivesService account activity
RecommendationsInvestigate account activity across entire network using Sentinel.