Microsoft 365 Impossible travel activity

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "development"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an
11impossible travel.
12"""
13false_positives = ["User using a VPN may lead to false positives."]
14from = "now-30m"
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Microsoft 365 Impossible travel activity"
19note = """## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating Microsoft 365 Impossible travel activity
25
26Microsoft 365's security features monitor user sign-ins to detect anomalies like impossible travel, where a user appears to log in from geographically distant locations in a short time. Adversaries may exploit compromised credentials to access accounts from unexpected locations. The detection rule identifies such suspicious logins by analyzing audit logs for successful sign-ins flagged as impossible travel, helping to mitigate unauthorized access.
27
28### Possible investigation steps
29
30- Review the audit logs for the specific event.dataset:o365.audit to gather details about the sign-in attempt, including the timestamp, IP addresses, and user account involved.
31- Cross-reference the event.provider:SecurityComplianceCenter logs to identify any additional security alerts or anomalies associated with the same user account or IP addresses.
32- Analyze the event.category:web logs to determine the geographical locations of the sign-ins and assess the feasibility of the travel between these locations within the given timeframe.
33- Investigate the user account's recent activity to identify any other suspicious behavior or unauthorized access attempts, focusing on event.action:"Impossible travel activity".
34- Check the event.outcome:success to confirm that the sign-in was successful and assess the potential impact of the unauthorized access.
35- Contact the user to verify if they were traveling or if they recognize the sign-in activity, and advise them to change their password if the activity is deemed suspicious.
36- Consider implementing additional security measures, such as multi-factor authentication, for the affected user account to prevent future unauthorized access.
37
38### False positive analysis
39
40- Frequent travel by users can trigger false positives. Implement a policy to whitelist known travel patterns for specific users who often travel between the same locations.
41- Use of VPNs or proxy services can result in logins appearing from different geographic locations. Identify and exclude IP addresses associated with trusted VPN services used by your organization.
42- Remote work scenarios where users log in from multiple locations in a short time can be misinterpreted. Establish a baseline for remote work patterns and adjust the rule to accommodate these behaviors.
43- Shared accounts accessed by multiple users from different locations can cause false positives. Consider implementing stricter access controls or transitioning to individual accounts to reduce this risk.
44- Regularly review and update the list of known safe locations and IP addresses to ensure that legitimate activities are not flagged as suspicious.
45
46### Response and remediation
47
48- Immediately isolate the affected user account by disabling it to prevent further unauthorized access.
49- Initiate a password reset for the compromised account and enforce multi-factor authentication (MFA) to enhance security.
50- Review the audit logs for the affected account to identify any unauthorized access or data exfiltration activities and document findings for further analysis.
51- Notify the user and relevant stakeholders about the incident, providing guidance on recognizing phishing attempts and securing their credentials.
52- Escalate the incident to the security operations team for a thorough investigation to determine the root cause and potential impact.
53- Implement geo-blocking policies to restrict access from high-risk locations that are not relevant to the organization's operations.
54- Update and refine security monitoring rules to enhance detection capabilities for similar suspicious activities in the future.
55
56## Important
57
58This rule is no longer applicable based on changes to Microsoft Defender for Office 365. Please refer to the following rules for similar detections:
59
60- Microsoft 365 Portal Logins from Impossible Travel Locations (3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc)
61- Microsoft 365 Portal Login from Rare Location (32d3ad0e-6add-11ef-8c7b-f661ea17fbcc)
62
63Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy
64"""
65setup = """
66## Setup
67
68The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
69"""
70references = [
71    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
72    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
73]
74risk_score = 47
75rule_id = "9c49fe22-4e86-4384-a9a0-602f4d54088d"
76severity = "medium"
77tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide"]
78timestamp_override = "event.ingested"
79type = "query"
80
81query = '''
82event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Impossible travel activity" and event.outcome:success
83'''
84
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1078"
90name = "Valid Accounts"
91reference = "https://attack.mitre.org/techniques/T1078/"
92
93
94[rule.threat.tactic]
95id = "TA0001"
96name = "Initial Access"
97reference = "https://attack.mitre.org/tactics/TA0001/"