Microsoft 365 Portal Logins from Impossible Travel Locations
Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/04"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/09/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined
11as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a
12Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from
13a different location.
14"""
15false_positives = [
16 """
17 False positives may occur when users are using a VPN or when users are traveling to different locations for
18 legitimate purposes.
19 """,
20]
21from = "now-15m"
22index = ["filebeat-*", "logs-o365.audit-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Portal Logins from Impossible Travel Locations"
26references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
27risk_score = 47
28rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc"
29severity = "medium"
30tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"]
31timestamp_override = "event.ingested"
32type = "threshold"
33
34query = '''
35event.dataset: "o365.audit"
36 and event.provider: "AzureActiveDirectory"
37 and event.action: "UserLoggedIn"
38 and event.outcome: "success"
39 and not o365.audit.UserId: "Not Available"
40 and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1078"
48name = "Valid Accounts"
49reference = "https://attack.mitre.org/techniques/T1078/"
50[[rule.threat.technique.subtechnique]]
51id = "T1078.004"
52name = "Cloud Accounts"
53reference = "https://attack.mitre.org/techniques/T1078/004/"
54
55
56
57[rule.threat.tactic]
58id = "TA0001"
59name = "Initial Access"
60reference = "https://attack.mitre.org/tactics/TA0001/"
61
62[rule.threshold]
63field = ["o365.audit.UserId"]
64value = 1
65[[rule.threshold.cardinality]]
66field = "source.geo.country_name"
67value = 2
References
-
Impossible Travel is one of the earliest indicators of user compromise, and it works against any user-centric event that can be tied back to a location. Huntress goes in-depth on this problem, explaining how it works, revealing challenges surrounding it, and offering real-world examples occurring within Microsoft 365.
Read More
Related rules
- Microsoft 365 Portal Login from Rare Location
- Microsoft 365 Impossible travel activity
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification