Managed Sentinel – Alert 123

Alert IDMS-A123
Alert NameChanges in an Windows Audit Policy on a critical server
DescriptionThis alert is triggered whenever the audit policy change event is generated by the system.
Customer to provide a list of servers subject to this alert
Severity LevelLow
Threat IndicatorRoot Access
MITRE ATT&CK TacticsInitial Access
Privilege Escalation
Credential Access
Log sourcesWindows Security Event Logs
False PositiveService accounts related changes
RecommendationsIf change is not correlated with an approved internal events - subject to standard change management processes in your organization, reverse the change in Windows.