Microsoft 365 Portal Login from Rare Location
editMicrosoft 365 Portal Login from Rare Location
editDetects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not commonly associated with the user’s account. This behavior may indicate an adversary attempting to access a Microsoft 365 account from an unusual location or behind a VPN.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-o365.audit-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: Microsoft 365
- Use Case: Threat Detection
- Tactic: Initial Access
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.dataset: "o365.audit" and event.provider: "AzureActiveDirectory" and event.action: "UserLoggedIn" and event.outcome: "success" and not o365.audit.UserId: "Not Available" and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/