Managed Sentinel – Alert 201
Alert ID | MS-A201 |
Alert Name | Silent log source monitoring - CommonSecurityLog |
Description | This alert is triggered when Sentinel can no long detect log entries from a log source sending the logs in CEF format to CommonSecurityLog (in the last 1 hour). |
Severity Level | Informational |
Threat Indicator | System monitoring impact |
MITRE ATT&CK Tactics | Execution |
Log sources | CommonSecurityLogs table |
False Positives | Remote device has been decommissioned (planned change) |
Recommendations | 1. Customer needs to investigate on the remote device to understand if any changes has been completed (e.g. service stopped or misconfigured) 2. Notify MSSP provider to this device from Azure Sentinel monitoring scope ( applicable if server has been decommissioned) |