Microsoft 365 Impossible travel activity

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "development"
 5updated_date = "2023/06/22"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an
11impossible travel.
12"""
13false_positives = ["User using a VPN may lead to false positives."]
14from = "now-30m"
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Microsoft 365 Impossible travel activity"
19note = """## Setup
20
21The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
22"""
23references = [
24    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
25    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
26]
27risk_score = 47
28rule_id = "9c49fe22-4e86-4384-a9a0-602f4d54088d"
29severity = "medium"
30tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Impossible travel activity" and event.outcome:success
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1078"
43name = "Valid Accounts"
44reference = "https://attack.mitre.org/techniques/T1078/"
45
46
47[rule.threat.tactic]
48id = "TA0001"
49name = "Initial Access"
50reference = "https://attack.mitre.org/tactics/TA0001/"