Managed Sentinel – Alert 203
| Alert ID | MS-A203 |
| Alert Name | Office 365 connections from malicious IP addresses (Managed Sentinel Threat Intelligence) |
| Description | Indicates Office 365 activities recorded from IP addresses listed in Managed Sentinel Threat Intelligence Feed. Recommended score level to be setup for 75 and higher. |
| Severity Level | Medium |
| Threat Indicator | External attacker |
| MITRE ATT&CK Tactics | Initial Access Exfiltration |
| Log sources | Office 365 |
| False Positive | Incorrect Threat Intelligence feed (setup a score level 75 and above) |
| Recommendations | 1. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com). 2. Identify the account name used for connection from the malicious IP address 3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host. 4. Reset account password. Enable MFA or Conditional Access policies in O365 |