Jun 04 2020
06:54 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Jun 04 2020
06:54 AM
- last edited on
Dec 23 2021
10:02 AM
by
TechCommunityAP
Hi all,
We recently had an alert raised in Azure Sentinel about "Rare and potentially high-risk Office operations".
When checking the events that triggered the alert. I saw in the "AccountCustomEntity" and "Userkey" field: Microsoft Operator
The account name does make it assumable that is activity regarding Microsoft Support perform actions. But we do not have any open cases....
This is not an account that has been made in the tenant, nor can I find any documentation that states the existence or usage of a Microsoft Operator account.
I have checked:
Even when filtering on the IP address that has been used I can't find any hits.
FYI: the IP address is not linked to Microsoft Datacenter.
Is this indeed a official Microsoft support account and explain where we can the original logs?
Kind Regards
Louis
Jun 05 2020 12:22 AM
Solution
Would someone have raised an O365 request?
Jun 05 2020 06:46 AM
Jun 05 2020 12:22 AM
Solution
Would someone have raised an O365 request?