Microsoft 365 Portal Login from Rare Location
Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft 365 account from an unusual location or behind a VPN.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/04"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/09/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not
11commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft
12365 account from an unusual location or behind a VPN.
13"""
14false_positives = [
15 """
16 False positives may occur when users are using a VPN or when users are traveling to different locations.
17 """,
18]
19from = "now-9m"
20index = ["filebeat-*", "logs-o365.audit-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Portal Login from Rare Location"
24references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
25risk_score = 47
26rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
27severity = "medium"
28tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"]
29timestamp_override = "event.ingested"
30type = "new_terms"
31
32query = '''
33event.dataset: "o365.audit"
34 and event.provider: "AzureActiveDirectory"
35 and event.action: "UserLoggedIn"
36 and event.outcome: "success"
37 and not o365.audit.UserId: "Not Available"
38 and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1078"
46name = "Valid Accounts"
47reference = "https://attack.mitre.org/techniques/T1078/"
48[[rule.threat.technique.subtechnique]]
49id = "T1078.004"
50name = "Cloud Accounts"
51reference = "https://attack.mitre.org/techniques/T1078/004/"
52
53
54
55[rule.threat.tactic]
56id = "TA0001"
57name = "Initial Access"
58reference = "https://attack.mitre.org/tactics/TA0001/"
59
60[rule.new_terms]
61field = "new_terms_fields"
62value = ["o365.audit.UserId", "source.geo.country_name"]
63[[rule.new_terms.history_window_start]]
64field = "history_window_start"
65value = "now-14d"
References
-
Impossible Travel is one of the earliest indicators of user compromise, and it works against any user-centric event that can be tied back to a location. Huntress goes in-depth on this problem, explaining how it works, revealing challenges surrounding it, and offering real-world examples occurring within Microsoft 365.
Read More
Related rules
- Microsoft 365 Portal Logins from Impossible Travel Locations
- Microsoft 365 Impossible travel activity
- Suspicious Microsoft 365 Mail Access by ClientAppId
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification