O365 logs from other Tenants

["King, Ronald A." <raking () NSU EDU>]

Good morning everyone!

We have had two instances where a faculty member has left our employment and had their account disabled. Our SIEM will 
then alert that the "disabled" account, but with a different .edu domain, has logged into O365. I am guessing the 
SIEM's O365 API is picking up a log from the other (.edu) tenant.  I see the log in the SIEM but not O365.

Has anyone seen anything like this before?

Thank you,
Ronald King
Director of OIT Security

With Office 365, you can report a message as phishing or junk. Using Outlook in a web browser or the mobile Outlook 
app, start by clicking/tapping "Junk/Report Junk!"

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community