Managed Sentinel – Alert 131

Alert IDMS-A131
Alert NameNotification on emails sent outside of organization containing specific words in Subject line
DescriptionThis alert is triggered whenan email with the subject containing specific word(s) is sent out of the organization. For example "resume" "job" words can be monitored. Customer to provide keywords to be monitored
Severity LevelInformational
Threat IndicatorData Theft
MITRE ATT&CK TacticsExfiltration
Log sourcesOffice 365
False PositiveList of keywords provided by the customer may be not relevant and too many alerts could be generated
Recommendations1. Review the identified O365 email accounts and destination email address.
2. Understand if this email was a legitimate sent outside of organization