Microsoft 365 Impossible travel activity
Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/15"
3integration = ["o365"]
4maturity = "development"
5updated_date = "2024/09/05"
6
7[rule]
8author = ["Austin Songer"]
9description = """
10Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an
11impossible travel.
12"""
13false_positives = ["User using a VPN may lead to false positives."]
14from = "now-30m"
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Microsoft 365 Impossible travel activity"
19note = """
20## Important
21
22This rule is no longer applicable based on changes to Microsoft Defender for Office 365. Please refer to the following rules for similar detections:
23
24- Microsoft 365 Portal Logins from Impossible Travel Locations (3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc)
25- Microsoft 365 Portal Login from Rare Location (32d3ad0e-6add-11ef-8c7b-f661ea17fbcc)
26
27Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy
28"""
29setup = """
30## Setup
31
32The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
33"""
34references = [
35 "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
36 "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
37]
38risk_score = 47
39rule_id = "9c49fe22-4e86-4384-a9a0-602f4d54088d"
40severity = "medium"
41tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Impossible travel activity" and event.outcome:success
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1078"
54name = "Valid Accounts"
55reference = "https://attack.mitre.org/techniques/T1078/"
56
57
58[rule.threat.tactic]
59id = "TA0001"
60name = "Initial Access"
61reference = "https://attack.mitre.org/tactics/TA0001/"
Important
This rule is no longer applicable based on changes to Microsoft Defender for Office 365. Please refer to the following rules for similar detections:
- Microsoft 365 Portal Logins from Impossible Travel Locations (3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc)
- Microsoft 365 Portal Login from Rare Location (32d3ad0e-6add-11ef-8c7b-f661ea17fbcc)
Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy
References
-
This article provides a description of Anomaly detection policies and provides reference information about the building blocks of an anomaly detection policy.
Read More -
This article provides information on policy templates included in Microsoft Defender for Cloud Apps.
Read More
Related rules
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 User Restricted from Sending Email
- Microsoft 365 Exchange DLP Policy Removed