Managed Sentinel – Alert 051

Alert IDMS-A051
Alert NameAbnormal activity for a high profile user in O365
DescriptionThis alert triggers when a specific user(s) is displaying a abnormal high activity in O365. Customer to provide the user ID to be monitored and alert
Severity LevelLow
Threat IndicatorUnauthorized activity
MITRE ATT&CK TacticsExecution
Log sourcesOffice Activity
False PositiveApproved operational change(s)
Recommendations1. Review list of operations reported for this account and validate if these were allowed changes.
2. Use Sentinel to investigate any lateral movements within your network from the same originator
3. If identified as compromised account, disable the account and notify user.
4. Collect evidence for future investigations.