Managed Sentinel – Alert 109
| Alert ID | MS-A109 |
| Alert Name | Tracking Privileged Account Rare Activity |
| Description | This query will determine rare activity by a high-value account carried out on a system or service. Rare here means an activity type seen in the last day which has not been seen in the previous 7 days. If any account with such rare activity is found, the query will attempt to retrieve related activity from that account on that same day and summarize the information. Source: Github - Microsoft |
| Severity Level | Informational |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Privilege Escalation Discovery |
| Log sources | Windows Security Event Logs Unix |
| False Positives | Service account activity |
| Recommendations | Investigate account activity across entire network using Sentinel. |