Managed Sentinel – Alert 081
|Alert Name||Powershell mailbox login activity in Office 365|
|Description||This will help you determine if mailbox login was done from Exchange Powershell session. By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell.|
|Threat Indicator||Improper Usage|
|MITRE ATT&CK Tactics||Initial Access|
|Log sources||Office 365|
|False Positive||Approved operational change.|
|Recommendations|| 1. Whitelist any recurring approved operational activities using exchange powershell if applicable in your environment.|
2. Restrict user access via Powershell to specific high elevated AD accounts within your organization.
3. Investigate via Azure Sentinel the other actions completed by the affected account within your network.