Managed Sentinel – Alert 070
| Alert ID | MS-A070 |
| Alert Name | A new service was installed and started on a critical Windows server |
| Description | This alerts is triggered whenever a new services is installed on one of the critical Windows servers. Customer to provide a list of critical server which will be monitored by this query. |
| Severity Level | Medium |
| Threat Indicator | Elevation of Privilege |
| MITRE ATT&CK Tactics | Initial Access Execution Defense Evasion Lateral Movement Command and Control |
| Log sources | Windows Information Event Logs |
| False Positives | Scripts and administrative tools used in the monitored environment |
| Recommendations | Engage the server owner (or Operations Team) to validate if service installation can be validated. If not, perform a full scan of the server and collect evidence of last user login, change initiator hostname and IP address. |