Managed Sentinel – Alert 201

Alert IDMS-A201
Alert NameSilent log source monitoring - CommonSecurityLog
DescriptionThis alert is triggered when Sentinel can no long detect log entries from a log source sending the logs in CEF format to CommonSecurityLog (in the last 1 hour).
Severity LevelInformational
Threat IndicatorSystem monitoring impact
MITRE ATT&CK TacticsExecution
Log sourcesCommonSecurityLogs table
False PositivesRemote device has been decommissioned (planned change)
Recommendations1. Customer needs to investigate on the remote device to understand if any changes has been completed (e.g. service stopped or misconfigured)
2. Notify MSSP provider to this device from Azure Sentinel monitoring scope ( applicable if server has been decommissioned)