Jun 04 2020
- last edited on
Dec 23 2021
We recently had an alert raised in Azure Sentinel about "Rare and potentially high-risk Office operations".
When checking the events that triggered the alert. I saw in the "AccountCustomEntity" and "Userkey" field: Microsoft Operator
The account name does make it assumable that is activity regarding Microsoft Support perform actions. But we do not have any open cases....
This is not an account that has been made in the tenant, nor can I find any documentation that states the existence or usage of a Microsoft Operator account.
I have checked:
Even when filtering on the IP address that has been used I can't find any hits.
FYI: the IP address is not linked to Microsoft Datacenter.
Is this indeed a official Microsoft support account and explain where we can the original logs?
Jun 05 2020 12:22 AMSolution
Would someone have raised an O365 request?