Microsoft 365 or Entra ID Sign-in from a Suspicious Source
This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip. Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/04/29"
3integration = ["azure", "o365"]
4maturity = "production"
5updated_date = "2025/07/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip.
11Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud
12resources.
13"""
14false_positives = [
15 """
16 Custom network security rules that triggers on a proxy or gateway used by users to access Azure or O365.
17 """,
18]
19from = "now-60m"
20language = "esql"
21license = "Elastic License v2"
22name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source"
23note = """## Triage and analysis
24
25### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
26
27#### Possible investigation steps
28
29- Investiguate all the alerts associated with the source.ip.
30 - Verify the network security alert details associated with this source.ip.
31 - Verify all sign-in events associated with this source.ip.
32 - Consider the source IP address and geolocation for the involved user account.
33 - Consider the device used to sign in. Is it registered and compliant?
34- Investigate other alerts associated with the user account during the past 48 hours.
35- Contact the account owner and confirm whether they are aware of this activity.
36- Check if this operation was approved and performed according to the organization's change management policy.
37- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.
38
39### Response and remediation
40
41- Initiate the incident response process based on the outcome of the triage.
42- Disable or limit the account during the investigation and response.
43- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
44 - Identify the account role in the cloud environment.
45 - Assess the criticality of affected services and servers.
46 - Work with your IT team to identify and minimize the impact on users.
47 - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
48 - Identify any regulatory or legal ramifications related to this activity.
49- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
50- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.
51- Consider enabling multi-factor authentication for users.
52- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.
53- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
54- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
55
56## Setup
57
58The Azure Fleet integration, Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
59risk_score = 73
60rule_id = "f0cc239b-67fa-46fc-89d4-f861753a40f5"
61severity = "high"
62tags = [
63 "Domain: Cloud",
64 "Domain: SaaS",
65 "Data Source: Azure",
66 "Data Source: Entra ID",
67 "Data Source: Entra ID Sign-in Logs",
68 "Data Source: Microsoft 365",
69 "Data Source: Microsoft 365 Audit Logs",
70 "Use Case: Identity and Access Audit",
71 "Use Case: Threat Detection",
72 "Tactic: Initial Access",
73 "Resources: Investigation Guide",
74 "Rule Type: Higher-Order Rule",
75]
76timestamp_override = "event.ingested"
77type = "esql"
78
79query = '''
80from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
81// query runs every 1 hour looking for activities occurred during last 8 hours to match on disparate events
82| where @timestamp > now() - 8 hours
83// filter for azure or m365 sign-in and external alerts with source.ip not null
84| where to_ip(source.ip) is not null
85 and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.name == "External Alerts")
86 and not cidr_match(
87 to_ip(source.ip),
88 "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
89 "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
90 "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
91 "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24",
92 "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8"
93 )
94
95// capture relevant raw fields
96| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.name, event.category
97
98// classify each source ip based on alert type
99| eval
100 Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
101 Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
102 Esql.source_ip_network_alert_case = case(kibana.alert.rule.name == "external alerts" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
103
104// aggregate by source ip
105| stats
106 Esql.event_count = count(*),
107 Esql.source_ip_mail_access_case_count_distinct = count_distinct(Esql.source_ip_mail_access_case),
108 Esql.source_ip_azure_signin_case_count_distinct = count_distinct(Esql.source_ip_azure_signin_case),
109 Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
110 Esql.event_dataset_count_distinct = count_distinct(event.dataset),
111 Esql.event_dataset_values = values(event.dataset),
112 Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
113 Esql.event_category_values = values(event.category)
114 by Esql.source_ip = to_ip(source.ip)
115
116// correlation condition
117| where
118 Esql.source_ip_network_alert_case_count_distinct > 0
119 and Esql.event_dataset_count_distinct >= 2
120 and (Esql.source_ip_mail_access_case_count_distinct > 0 or Esql.source_ip_azure_signin_case_count_distinct > 0)
121 and Esql.event_count <= 100
122'''
123
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1078"
129name = "Valid Accounts"
130reference = "https://attack.mitre.org/techniques/T1078/"
131
132
133[rule.threat.tactic]
134id = "TA0001"
135name = "Initial Access"
136reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
Possible investigation steps
- Investiguate all the alerts associated with the source.ip.
- Verify the network security alert details associated with this source.ip.
- Verify all sign-in events associated with this source.ip.
- Consider the source IP address and geolocation for the involved user account.
- Consider the device used to sign in. Is it registered and compliant?
- Investigate other alerts associated with the user account during the past 48 hours.
- Contact the account owner and confirm whether they are aware of this activity.
- Check if this operation was approved and performed according to the organization's change management policy.
- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Disable or limit the account during the investigation and response.
- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
- Identify the account role in the cloud environment.
- Assess the criticality of affected services and servers.
- Work with your IT team to identify and minimize the impact on users.
- Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
- Identify any regulatory or legal ramifications related to this activity.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.
- Consider enabling multi-factor authentication for users.
- Follow security best practices outlined by Microsoft.
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
Setup
The Azure Fleet integration, Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Related rules
- TeamFiltration User-Agents Detected
- BloodHound Suite User-Agents Detected
- Entra ID Protection - Risk Detection - User Risk
- Entra ID Protection - Risk Detection - Sign-in Risk
- Microsoft 365 OAuth Phishing via Visual Studio Code Client