Techniques
Sample rules
M365 Identity Login from Atypical Region
- source: elastic
- technicques:
- T1078
Description
Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated from in a specific time window. Atypical regions are identified by combining the user’s country and region geolocation history; an authentication from a new country/region pair for that user may indicate an adversary attempting to access the account from an unusual location or behind a VPN.
Detection logic
data_stream.dataset:o365.audit and
event.provider:AzureActiveDirectory and
event.action:UserLoggedIn and
event.outcome:success and
o365.audit.Target.Type:(0 or 10 or 2 or 3 or 5 or 6) and
o365.audit.UserId:(* and not "Not Available") and
source.geo.country_name:* and
source.geo.region_name:* and
not o365.audit.ApplicationId:(
29d9ed98-a469-4536-ade2-f981bc1d605e or
38aa3b87-a06d-4817-b275-7a316988d93b or
a809996b-059e-42e2-9866-db24b99a9782 or
08e18876-6177-487e-b8b5-cf950c1e598c or
3e62f81e-590b-425b-9531-cad6683656cf or
d7b530a4-7680-4c23-a8bf-c52c121d2e87
) and not o365.audit.ExtendedProperties.RequestType:(
"Consent:Set" or
"DeviceAuth:ReprocessTls" or
"Kmsi:kmsi" or
"Login:reprocess" or
"Login:resume" or
"MessagePrompt:MessagePrompt" or
"Saml2:processrequest" or
"SAS:EndAuth" or
"SAS:ProcessAuth"
) and
not user_agent.original:(*iPhone* or *iPad* or *Android* or *PKeyAuth*)