General
This rule compares activity in Office365 with the data in your MISP source. If activity is detected from an IP address known in MISP, an alarm is raised.
Rationale
The MISP source serves as a repository of indicators that indicate malicious behavior. Such details are obtained from research into previous attacks on other organizations. Exchanging that data ensures that new similar attacks are detected in a timely manner. By mixing the data with logs in the Microsoft tenant, detection is active and Attic helps with rapid incident handling.
Attic currently supports the following MISP sources:
Z-CERT | IBD from VNG | FERM Rotterdam |
Use of these sources is only permitted for the intended target group, which Attic will validate per customer.
Attic Fix
A Fix is available for this detection that blocks the account in question. It is recommended to perform this Fix if the login attempt was successful.
This action ensures that no further damage can occur, but it is advisable to perform further research into what the account has done.
If you have an IR Strip Card, please contact our experts to perform the follow-up research.
Manual follow-up
Follow these steps to follow up on this detection:
- Open the Entra admin portal https://entra.microsoft.com
- Under Identity and Monitoring & Health and then Sign-in logs
- Find out how the account was logged in
- Investigate the login attempt and only if it can be determined that the alarm is not a false positive:
- Block the user account
- Reset the password and revoke logged-in sessions
- Investigate the account for suspicious behavior or changed authentication methods and suspicious App Consents. Also check the mailbox for any forwarding rules. Zolder can assist with this.
- Only when the account is free for use again, enable it again.
Comments
0 comments
Please sign in to leave a comment.