Managed Sentinel – Alert 082
| Alert ID | MS-A082 |
| Alert Name | Previously disabled accounts becoming active |
| Description | This alerts is triggered whenever a previously disabled Windows account is reactivated. |
| Severity Level | High |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Privilege Escalation Credential Access |
| Log sources | Windows Security Event Logs |
| Recommendations | 1. Disable user account. 2. Complete an investigation in Azure Sentinel to understand any access from impacted user account to other internal network systems. 3. Review log history on Windows AD to find out the adminsitrator who reactivated the user account |