Managed Sentinel – Alert 051
|Alert Name||Abnormal activity for a high profile user in O365|
|Description||This alert triggers when a specific user(s) is displaying a abnormal high activity in O365. Customer to provide the user ID to be monitored and alert|
|Threat Indicator||Unauthorized activity|
|MITRE ATT&CK Tactics||Execution|
|Log sources||Office Activity|
|False Positive||Approved operational change(s)|
|Recommendations||1. Review list of operations reported for this account and validate if these were allowed changes. |
2. Use Sentinel to investigate any lateral movements within your network from the same originator
3. If identified as compromised account, disable the account and notify user.
4. Collect evidence for future investigations.