Managed Sentinel – Alert 089
| Alert ID | MS-A089 |
| Alert Name | Windows privilege account(s) password changed on critical servers |
| Description | This alert is triggered whenever an administrator account password is changed on a specific server. Customer to provide a list of critical server which will be monitored. |
| Severity Level | Medium |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Initial Access Privilege Escalation Credential Access |
| Log sources | Windows Security Event Logs |
| False Positive | Service outsourcing related events |
| Recommendations | Disable user account. Use Azure Sentinel to query and report all access from affected user account to other internal resources (lateral movement). |