Microsoft 365 Portal Logins from Impossible Travel Locations

edit

Microsoft 365 Portal Logins from Impossible Travel Locations

edit

Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.

Rule type: threshold

Rule indices:

  • filebeat-*
  • logs-o365.audit-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-15m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: Microsoft 365
  • Use Case: Threat Detection
  • Tactic: Initial Access

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.dataset: "o365.audit"
    and event.provider: "AzureActiveDirectory"
    and event.action: "UserLoggedIn"
    and event.outcome: "success"
    and not o365.audit.UserId: "Not Available"
    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")

Framework: MITRE ATT&CKTM