Managed Sentinel – Alert 212

Alert IDMS-A212
Alert NameOffice 365 activities from IP listed in the ThreatIntelligenceIndicator table
DescriptionThis alert indicates that one or more Office 365 activities such as mailbox logins; SharePoint file access and other have been detected as having been performed from IPs listed in the ThreatIntelligenceIndicator table.
Severity LevelHigh
Threat IndicatorCompromised Accounts
MITRE ATT&CK TacticsPriviledge Escalation
Lateral Movement
Credential Access
Log sourcesOffice 365
False PositiveReported malicious IP address may be a false positive based on the Threat Intelligence feed
Recommendations1. Review the affected O365 email accounts
2. Manually validate malicious IP address based on various treath intelligence feeds
3. Change account password
4. Perform an investigation in Azure Sentinel based on the account name entity to understand if any other alerts triggered by the same account name in your environment.