Microsoft 365 Impossible travel activity
Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/15"
3integration = ["o365"]
4maturity = "development"
5updated_date = "2023/06/22"
6
7[rule]
8author = ["Austin Songer"]
9description = """
10Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an
11impossible travel.
12"""
13false_positives = ["User using a VPN may lead to false positives."]
14from = "now-30m"
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Microsoft 365 Impossible travel activity"
19note = """## Setup
20
21The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
22"""
23references = [
24 "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
25 "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
26]
27risk_score = 47
28rule_id = "9c49fe22-4e86-4384-a9a0-602f4d54088d"
29severity = "medium"
30tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Impossible travel activity" and event.outcome:success
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1078"
43name = "Valid Accounts"
44reference = "https://attack.mitre.org/techniques/T1078/"
45
46
47[rule.threat.tactic]
48id = "TA0001"
49name = "Initial Access"
50reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Mass download by a single user
- Application Added to Google Workspace Domain
- Application Removed from Blocklist in Google Workspace
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic