Last 24h Analysis.

These alerts indicates the detection of unusual or infrequent Office 365 operations, which could suggest malicious activity such as account compromise, privilege escalation, or data exfiltration. Given the previous alerts related to privileged account sign-in failures and rare subscription-level operations, this pattern raises concern about potential attacker activity attempting to manipulate or access sensitive Office 365 resources.

Assessment:

  • High. Rare Office operations combined with prior suspicious activity suggest a potential security incident requiring immediate investigation. 

    1. **Containment & Verification:** 
  - Identify the user accounts involved in these rare operations. 
  - Verify if the operations align with legitimate business activities or are anomalous.
                    
2. **Investigate User Activity:** 
  - Review recent sign-in logs for the affected accounts to detect anomalies or suspicious sign-in patterns.
                    
3. **Account & Access Review:** 
  - Check for any recent privilege escalations or changes in account permissions. 
  - Confirm MFA status and recent credential changes.
                    
4. **Audit and Monitor:** 
  - Enable additional logging if not already active. 
  - Monitor for further suspicious activities.
                    
5. **Remediation:** 
  - If malicious activity is confirmed, disable or reset affected accounts. 
  - Consider implementing targeted MFA prompts or account lockouts.
                    

    - **Account Access Control:** Implement strict access controls and MFA enforcement. 
- **Anomaly Detection:** Use behavioral analytics to identify deviations. 
- **Logging & Monitoring:** Ensure comprehensive logging of Office 365 activities. 
- **Incident Response:** Prepare to isolate affected accounts and revoke suspicious permissions.
                    

      *1. Investigate the specific Office 365 rare operation:*
  ```kusto
  OfficeActivity
  | where UserPrincipalName == ""
  | where Operation in ("")
  | order by TimeGenerated desc
  ```
  
  *2. Review sign-in activity for the user:*
  ```kusto
  SigninLogs
  | where UserPrincipalName == ""
  | order by TimeGenerated desc
  ```
  
  *3. Check for recent privilege changes:*
  ```kusto
  AuditLogs
  | where OperationName == "Update user" or OperationName == "Add member to role"
  | where TargetUserPrincipalName == ""
  | order by TimeGenerated desc
  ```
  
  *4. Detect unusual sign-in locations or devices:*
  ```kusto
  SigninLogs
  | where UserPrincipalName == ""
  | summarize count() by Location, DeviceDetail, bin(TimeGenerated, 1d)
  | order by count_ desc
  ```