Managed Sentinel – Alert 069

Alert IDMS-A069
Alert NameNew Office 365 admin activity detected
DescriptionThis will help you discover any new admin account activity which was seen and were not seen historically. Any new accounts seen in the results can be validated and investigated for any suspicious activities. Please note that this use case is very noisy and it is recommended to tune it regularly.
Severity LevelInformational
Threat IndicatorUnauthorized activity
MITRE ATT&CK TacticsCredential Access
Log sourcesOffice 365
False PositiveApproved operational change(s)
Recommendations1. Review identified AD account and validate if this change is a permitted action within your organization.
2. Investigate other activities within your network from the same originator