
Summary
Detects suspicious Microsoft Entra ID interactive sign-ins for the same user from geographically distant locations within a 90-minute window, where the implied travel speed between the two points exceeds 800 km/h and the separation is at least 500 km. This pattern suggests either VPN/proxy egress or a compromised account being used from a location different from the legitimate user. The rule focuses on SignInLogs (interactive sign-ins) and excludes non-interactive token refresh activity. It uses Azure Entra ID sign-in data to compute both a bbox-based separation (region centroids) for triage and an honest pair based on the actual first/last sign-ins to validate travel plausibility. Affected indicators include user principal, geographic values, IPs, user agents, device/browser/os details, apps touched, and resources accessed. False positives include VPN/proxy egress to distant regions, mobile carrier geo-resolutions, and cloud-based corporate desktops (AWS Workspaces/VDI) from cloud ASNs. The rule provides investigation guidance, remediation steps (token revocation, password reset, OAuth grant review, and auditing), and links to Entra/Azure logs for persistence mechanisms. MITRE mappings cover Initial Access (T1078, T1078.004) and Credential Access (T1528, T1557).
Categories
- Cloud
- Identity Management
- Azure
Data Sources
- Cloud Service
- User Account
ATT&CK Techniques
- T1078
- T1078.004
- T1528
- T1557
Created: 2026-05-15