
Summary
This detection rule is created to identify possible unauthorized access to Microsoft 365 accounts due to successful logins from impossible travel locations. An impossible travel location is an anomaly that occurs when a user logs in from two different countries within a short time frame. This behavior could suggest that an adversary is attempting to access an account from a compromised account or that a malicious actor is trying to have unauthorized access. The rule leverages data from the Microsoft 365 audit logs, particularly focusing on successful login events and filtering out known false positives such as those caused by legitimate travel or VPN use. It flags logins that appear from disparate geographical locations in a narrow window, enabling organizations to respond swiftly to potential account compromise scenarios. Investigative steps for analysts include examining IP addresses, reviewing user activity, and considering travel legitimacy to address alerts effectively. The response to confirmed threats includes disabling accounts, enforcing password resets, and potentially implementing geo-blocking as preventive measures. Moreover, the detection incorporates the MITRE ATT&CK framework, providing a structured approach to understanding the tactics and techniques involved in such unauthorized access attempts.
Categories
- Cloud
Data Sources
- User Account
- Cloud Service
ATT&CK Techniques
- T1078
- T1078.004
Created: 2024-09-04