Managed Sentinel – Alert 072

Alert IDMS-A072
Alert NameNon owner Office 365 mailbox login activity
DescriptionThis will help you determine if mailbox access observed with Admin/Delegate Logontype. The logon type indicates mailbox accessed from non-owner user. Exchange allows Admin and delegate permissions to access other user's inbox.
Severity LevelMedium
Threat IndicatorElevation of Priviledge
MITRE ATT&CK TacticsInitial Access
Log sourcesOffice 365
False PositiveRecurrent and approved O365 operational activities within your organization
Recommendations1. Review generated events via Azure Sentinel console.
2. If delegated access is provided to given users, you can whitelist those and investigate the rest of results.