Sample rules
Microsoft 365 Portal Logins from Impossible Travel Locations
- source: elastic
- technicques:
- T1078
Description
Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.
Detection logic
event.dataset: "o365.audit"
and event.provider: "AzureActiveDirectory"
and event.action: "UserLoggedIn"
and event.outcome: "success"
and not o365.audit.UserId: "Not Available"
and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
Microsoft 365 Portal Login from Rare Location
- source: elastic
- technicques:
- T1078
Description
Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not commonly associated with the user’s account. This behavior may indicate an adversary attempting to access a Microsoft 365 account from an unusual location or behind a VPN.
Detection logic
event.dataset: "o365.audit"
and event.provider: "AzureActiveDirectory"
and event.action: "UserLoggedIn"
and event.outcome: "success"
and not o365.audit.UserId: "Not Available"
and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")