Microsoft 365 Portal Logins from Impossible Travel Locations

Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.

Rule type: threshold

Rule indices:

filebeat-*
logs-o365.audit-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-15m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-

Tags:

Domain: Cloud
Data Source: Microsoft 365
Use Case: Threat Detection
Tactic: Initial Access

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.dataset: "o365.audit"
    and event.provider: "AzureActiveDirectory"
    and event.action: "UserLoggedIn"
    and event.outcome: "success"
    and not o365.audit.UserId: "Not Available"
    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/

« Microsoft 365 Portal Login from Rare Location Microsoft 365 Potential ransomware activity »