Dec 16 2022 12:00 PM - edited Dec 16 2022 12:12 PM
Questions on Activity log. I am seeing multiple times that our organization user accounts have an activity from a foreign IP. These IPs range from Nepal, India, UK, Ireland, Mexico, Brazil, Puerto Rico, etc. So, the IPs are all over the place. It affected dozens of users.
I have filtered out cloud provider IP as those activities may be copies of the cloud environment copying to different cloud data centers. These IPs range Ireland, Mexico City, Netherlands. These activities are usually tied to MS Exchange and typically have the cloud icon next to the IP in the activity log screen.
Usually activites like "FilePreviewed: file https://xx"
There are also these:
Run command: task MailItemsAccessed; Parameters: Session ID xxstringxx , property MailAccessType Bind, property IsThrottled False
and
Run command: task Send; Parameters: Session ID xxstringxx
I will admit that I am new to this Defender portal and to cyber.
Am I being too cautious when I see
Run command: task MailItemsAccessed; Parameters: Session ID xxstringxx property MailAccessType Bind, property IsThrottled False
and
Run command: task Send; Parameters: Session ID xxxxstringxx
and
Allow computer to sync files: OneDrive Site Collection
and
CONTENT_ACCESS
and
seeing some MS Exchange stuff from Mexico IP (not sure if this is a cloud thing or not)
I see these from foreign IPs that are not associated to cloud providers and user have not visited those countries. Should i raise an alarm or are the activities associated to cloud activities and thus not an alert? Sorry, again, I am new to this.
Dec 19 2022 09:23 AM
Dec 20 2022 07:45 AM
Feb 08 2024 01:08 PM
I have investigated this same event and confirmed the user was accessing their email on their mobile phone and using an internet service which IP address has a malicious reputation on IPVOID. The alert was triggered because of the IP address reputation.