Managed Sentinel – Alert 081

Alert IDMS-A081
Alert NamePowershell mailbox login activity in Office 365
DescriptionThis will help you determine if mailbox login was done from Exchange Powershell session. By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell.
Severity LevelMedium
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsInitial Access
Execution
Log sourcesOffice 365
False PositiveApproved operational change.
Recommendations 1. Whitelist any recurring approved operational activities using exchange powershell if applicable in your environment.
2. Restrict user access via Powershell to specific high elevated AD accounts within your organization.
3. Investigate via Azure Sentinel the other actions completed by the affected account within your network.