This alert will trigger when some suspicious modifications are done to Sharepoint sites, which are not recognized by the O365 admins
MITRE ATT&CK Tactics
1. Review Sharepoint changes via Azure Sentinel console and identify users and activities completed to the affected Sharepoint site
2. If change is not an internal approved change, perform an investigation based on userID and source IP.
3. Understand if any other changes were completed in the same interval to other internal systems (lateral movement)
4. Collect evidence, logs for future investigation
5. Rollback the changes from Sharepoint site
6. Disable in scope user account