heroui logo

Microsoft Entra ID Impossible Travel Sign-in

Elastic Detection Rules

View Source
Summary
Detects suspicious Microsoft Entra ID interactive sign-ins for the same user from geographically distant locations within a 90-minute window, where the implied travel speed between the two points exceeds 800 km/h and the separation is at least 500 km. This pattern suggests either VPN/proxy egress or a compromised account being used from a location different from the legitimate user. The rule focuses on SignInLogs (interactive sign-ins) and excludes non-interactive token refresh activity. It uses Azure Entra ID sign-in data to compute both a bbox-based separation (region centroids) for triage and an honest pair based on the actual first/last sign-ins to validate travel plausibility. Affected indicators include user principal, geographic values, IPs, user agents, device/browser/os details, apps touched, and resources accessed. False positives include VPN/proxy egress to distant regions, mobile carrier geo-resolutions, and cloud-based corporate desktops (AWS Workspaces/VDI) from cloud ASNs. The rule provides investigation guidance, remediation steps (token revocation, password reset, OAuth grant review, and auditing), and links to Entra/Azure logs for persistence mechanisms. MITRE mappings cover Initial Access (T1078, T1078.004) and Credential Access (T1528, T1557).
Categories
  • Cloud
  • Identity Management
  • Azure
Data Sources
  • Cloud Service
  • User Account
ATT&CK Techniques
  • T1078
  • T1078.004
  • T1528
  • T1557
Created: 2026-05-15