Managed Sentinel – Alert 095
| Alert ID | MS-A095 |
| Alert Name | A malicious IP address accessing an Office 365 resource |
| Description | This alert triggers when a success connection is established to O365 resources from a malicious IP address |
| Severity Level | Medium |
| Threat Indicator | Compromised Accounts |
| MITRE ATT&CK Tactics | Initial Access Command and Control Exfiltration |
| Log sources | Office 365 |
| False Positive | Malicious IP address is not accurate based on the Threat Intelligence feed |
| Recommendations | 1. Review the affected O365 email accounts 2. Manually validate malicious IP address based on various treath intelligence feeds 3. Change account password 4. Perform an investigation in Azure Sentinel based on the account name entity to understand if any other alerts triggered by the same account name in your environment. |