SOLVED

Microsoft Operator?

%3CLINGO-SUB%20id%3D%22lingo-sub-1440374%22%20slang%3D%22en-US%22%3EMicrosoft%20Operator%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440374%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20recently%20had%20an%20alert%20raised%20in%20Azure%20Sentinel%20about%20%22%3CSPAN%3ERare%20and%20potentially%20high-risk%20Office%20operations%22.%3CBR%20%2F%3EWhen%20checking%20the%20events%20that%20triggered%20the%20alert.%20I%20saw%20in%20the%20%22AccountCustomEntity%22%20and%20%22Userkey%22%20field%3A%26nbsp%3B%3CSTRONG%3EMicrosoft%20Operator%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20account%20name%20does%20make%20it%20assumable%20that%20is%20activity%20regarding%20Microsoft%20Support%20perform%20actions.%20But%20we%20do%20not%20have%20any%20open%20cases....%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222020-06-04%2015_39_11-Logs.png%22%20style%3D%22width%3A%20742px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196495i7EC8EB23B11333CB%2Fimage-dimensions%2F742x106%3Fv%3D1.0%22%20width%3D%22742%22%20height%3D%22106%22%20title%3D%222020-06-04%2015_39_11-Logs.png%22%20alt%3D%222020-06-04%2015_39_11-Logs.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20is%20not%20an%20account%20that%20has%20been%20made%20in%20the%20tenant%2C%20nor%20can%20I%20find%20any%20documentation%20that%20states%20the%20existence%20or%20usage%20of%20a%20%3CSTRONG%3EMicrosoft%20Operator%3C%2FSTRONG%3E%20account.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20checked%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3EAzure%20AD%20(audit%20%26amp%3B%20sign%20in%20logs)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EExchange%20audit%20logs%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EMCAS%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EEven%20when%20filtering%20on%20the%20IP%20address%20that%20has%20been%20used%20I%20can't%20find%20any%20hits.%26nbsp%3B%3CBR%20%2F%3EFYI%3A%20the%20IP%20address%26nbsp%3Bis%20not%20linked%20to%20Microsoft%20Datacenter.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EIs%20this%20indeed%20a%20official%20Microsoft%20support%20account%20and%20explain%20where%20we%20can%20the%20original%20logs%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20Regards%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ELouis%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1440374%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1442201%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Operator%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442201%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F585791%22%20target%3D%22_blank%22%3E%40LouisMastelinck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWould%20someone%20have%20raised%20an%20O365%20request%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fro-ro%2Fmicrosoft-365%2Fcompliance%2Fcustomer-lockbox-requests%3Fview%3Do365-worldwide%23auditing-customer-lockbox-requests%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fro-ro%2Fmicrosoft-365%2Fcompliance%2Fcustomer-lockbox-requests%3Fview%3Do365-worldwide%23auditing-customer-lockbox-requests%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1442963%22%20slang%3D%22en-US%22%3ERE%3A%20Microsoft%20Operator%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442963%22%20slang%3D%22en-US%22%3EThe%20people%20i%20reached%20out%20to%20did%20not%20know%20of%20O365%20request.%20But%20the%20documentation%20and%20logs%20do%20seem%20to%20indicate%20this%20is%20what%20happened.%20Thanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all,

 

We recently had an alert raised in Azure Sentinel about "Rare and potentially high-risk Office operations".
When checking the events that triggered the alert. I saw in the "AccountCustomEntity" and "Userkey" field: Microsoft Operator

 

The account name does make it assumable that is activity regarding Microsoft Support perform actions. But we do not have any open cases.... 
2020-06-04 15_39_11-Logs.png

This is not an account that has been made in the tenant, nor can I find any documentation that states the existence or usage of a Microsoft Operator account. 

I have checked:

  • Azure AD (audit & sign in logs)
  • Exchange audit logs
  • MCAS

Even when filtering on the IP address that has been used I can't find any hits. 
FYI: the IP address is not linked to Microsoft Datacenter. 


Is this indeed a official Microsoft support account and explain where we can the original logs? 

Kind Regards


Louis

2 Replies
best response confirmed by LouisMastelinck (Contributor)
The people i reached out to did not know of O365 request. But the documentation and logs do seem to indicate this is what happened. Thanks @Clive Watson
www.000webhost.com