Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Sigma rule (View on GitHub)
1title: Atypical Travel 2id: 1a41023f-1e70-4026-921a-4d9341a9038e 3status: experimental 4description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. 5references: 6 - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel 7 - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' 9date: 2023/09/03 10tags: 11 - attack.t1078 12 - attack.persistence 13 - attack.defense_evasion 14 - attack.privilege_escalation 15 - attack.initial_access 16logsource: 17 product: azure 18 service: riskdetection 19detection: 20 selection: 21 riskEventType: 'unlikelyTravel' 22 condition: selection 23falsepositives: 24 - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. 25level: high
- Activity From Anonymous IP Address
- Impossible Travel
- New Country
- Suspicious Browser Activity
- Unfamiliar Sign-In Properties