Managed Sentinel – Alert 203

Alert IDMS-A203
Alert NameOffice 365 connections from malicious IP addresses (Managed Sentinel Threat Intelligence)
DescriptionIndicates Office 365 activities recorded from IP addresses listed in Managed Sentinel Threat Intelligence Feed. Recommended score level to be setup for 75 and higher.
Severity LevelMedium
Threat IndicatorExternal attacker
MITRE ATT&CK TacticsInitial Access
Exfiltration
Log sourcesOffice 365
False PositiveIncorrect Threat Intelligence feed (setup a score level 75 and above)
Recommendations1. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com).
2. Identify the account name used for connection from the malicious IP address
3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host.
4. Reset account password. Enable MFA or Conditional Access policies in O365