Managed Sentinel – Alert 072

Alert IDMS-A072
Alert NameNon owner Office 365 mailbox login activity
DescriptionThis will help you determine if mailbox access observed with Admin/Delegate Logontype. The logon type indicates mailbox accessed from non-owner user. Exchange allows Admin and delegate permissions to access other user's inbox.
Source: Github - Microsoft
Severity LevelMedium
Threat IndicatorElevation of Priviledge
MITRE ATT&CK TacticsInitial Access
Log sourcesOffice 365
False PositiveRegular - sanctioned operations activities
RecommendationsReview events.
If your organization has valid admin, delegate access given to users, you can whitelist those and investigate other results.