Impossible Travel
Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Sigma rule (View on GitHub)
1title: Impossible Travel
2id: b2572bf9-e20a-4594-b528-40bde666525a
3status: experimental
4description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel
7 - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
9date: 2023/09/03
10tags:
11 - attack.t1078
12 - attack.persistence
13 - attack.defense_evasion
14 - attack.privilege_escalation
15 - attack.initial_access
16logsource:
17 product: azure
18 service: riskdetection
19detection:
20 selection:
21 riskEventType: 'impossibleTravel'
22 condition: selection
23falsepositives:
24 - Connecting to a VPN, performing activity and then dropping and performing additional activity.
25level: high
References
-
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Azure AD Threat Intelligence
- Activity From Anonymous IP Address