Managed Sentinel – Alert 101
| Alert ID | MS-A101 |
| Alert Name | Suspicious high privilege account login failure on Windows systems |
| Description | This will alert on x login failure attempts within predefined timelines and correlate with a customer's provided list of accounts. |
| Severity Level | Low |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Initial Access Privilege Escalation Credential Access |
| Log sources | Windows Security Event Logs |
| False Positive | Unknown |
| Recommendations | 1. Disable user account or change user account password. 2. Use Azure Sentinel to investigate any suspicious access from affected user account to other internal resources (lateral movement). 3. Investigate source host from where the login attempt was tried. 4. Perform an Azure Sentinel investigation for this entity (IP address related to the attacker) |