Microsoft 365 Portal Logins from Impossible Travel Locations
editMicrosoft 365 Portal Logins from Impossible Travel Locations
editDetects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.
Rule type: threshold
Rule indices:
- filebeat-*
- logs-o365.audit-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-15m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: Microsoft 365
- Use Case: Threat Detection
- Tactic: Initial Access
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.dataset: "o365.audit" and event.provider: "AzureActiveDirectory" and event.action: "UserLoggedIn" and event.outcome: "success" and not o365.audit.UserId: "Not Available" and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/