Managed Sentinel – Alert 131
| Alert ID | MS-A131 |
| Alert Name | Notification on emails sent outside of organization containing specific words in Subject line |
| Description | This alert is triggered whenan email with the subject containing specific word(s) is sent out of the organization. For example "resume" "job" words can be monitored. Customer to provide keywords to be monitored |
| Severity Level | Informational |
| Threat Indicator | Data Theft |
| MITRE ATT&CK Tactics | Exfiltration |
| Log sources | Office 365 |
| False Positive | List of keywords provided by the customer may be not relevant and too many alerts could be generated |
| Recommendations | 1. Review the identified O365 email accounts and destination email address. 2. Understand if this email was a legitimate sent outside of organization |