Managed Sentinel – Alert 095

Alert IDMS-A095
Alert NameA malicious IP address accessing an Office 365 resource
DescriptionThis alert triggers when a success connection is established to O365 resources from a malicious IP address
Severity LevelMedium
Threat IndicatorCompromised Accounts
MITRE ATT&CK TacticsInitial Access
Command and Control
Exfiltration
Log sourcesOffice 365
False PositiveMalicious IP address is not accurate based on the Threat Intelligence feed
Recommendations1. Review the affected O365 email accounts
2. Manually validate malicious IP address based on various treath intelligence feeds
3. Change account password
4. Perform an investigation in Azure Sentinel based on the account name entity to understand if any other alerts triggered by the same account name in your environment.