Managed Sentinel – Alert 212
| Alert ID | MS-A212 |
| Alert Name | Office 365 activities from IP listed in the ThreatIntelligenceIndicator table |
| Description | This alert indicates that one or more Office 365 activities such as mailbox logins; SharePoint file access and other have been detected as having been performed from IPs listed in the ThreatIntelligenceIndicator table. |
| Severity Level | High |
| Threat Indicator | Compromised Accounts |
| MITRE ATT&CK Tactics | Priviledge Escalation Lateral Movement Credential Access |
| Log sources | Office 365 |
| False Positive | Reported malicious IP address may be a false positive based on the Threat Intelligence feed |
| Recommendations | 1. Review the affected O365 email accounts 2. Manually validate malicious IP address based on various treath intelligence feeds 3. Change account password 4. Perform an investigation in Azure Sentinel based on the account name entity to understand if any other alerts triggered by the same account name in your environment. |