This alert triggers when a specific user(s) is displaying a abnormal high activity in O365. Customer to provide the user ID to be monitored and alert
MITRE ATT&CK Tactics
Approved operational change(s)
1. Review list of operations reported for this account and validate if these were allowed changes.
2. Use Sentinel to investigate any lateral movements within your network from the same originator
3. If identified as compromised account, disable the account and notify user.
4. Collect evidence for future investigations.