Managed Sentinel – Alert 202

Alert IDMS-A202
Alert NameSilent log source monitoring - Windows Security
DescriptionThis alert is triggered when Sentinel can no long detect Security Event log entries from a Windows log source (in the last 1 hour).
Severity LevelInformational
Threat IndicatorSystem monitoring impact
MITRE ATT&CK TacticsExecution
Log sourcesWindows
False PositivesWindows server has been decommissioned (planned change)
Recommendations1. Customer needs to investigate on the Windows server if Microsoft Monitoring Agent is stopped or misconfigured
2. Notify MSSP provider to this server from Azure Sentinel monitoring scope ( applicable if server has been decommissioned)