Managed Sentinel – Alert 081

Alert IDMS-A081
Alert NamePowershell or non-browser mailbox login activity in Office 365
DescriptionThis will help you determine if mailbox login was done from Exchange Powershell session. By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell. Source: Github - Microsoft
Severity LevelMedium
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsInitial Access
Log sourcesOffice 365
False PositiveApproved operational change
Recommendations Whitelist any benign scheduled activities using exchange powershell if applicable in your environment.
Block any identified as malicious scripts.