[Rule Tuning] M365 Portal Logins (Impossible & Atypical) (#5031)
* [Rule Tuning] M365 Portal Logins (Impossible & Atypical) Fixes #5009 * updated new terms value * fixed unit test failures * Update rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * adjusted rule name and file names * fixed field mispelling * fixed investigation guide --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
@@ -0,0 +1,134 @@
|
||||
[metadata]
|
||||
creation_date = "2024/09/04"
|
||||
integration = ["o365"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not
|
||||
commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft
|
||||
365 account from an unusual location or behind a VPN.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
False positives may occur when users are using a VPN or when users are traveling to different locations"
|
||||
""",
|
||||
"""
|
||||
Mobile access may also result in false positives, as users may log in from various locations while on the go.
|
||||
""",
|
||||
]
|
||||
from = "now-15m"
|
||||
index = ["filebeat-*", "logs-o365.audit-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "M365 Portal Login (Atypical Travel)"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating M365 Portal Login (Atypical Travel)
|
||||
|
||||
Microsoft 365 is a cloud-based suite offering productivity tools accessible from anywhere, making it crucial for business operations. Adversaries may exploit this by logging in from uncommon locations, potentially using VPNs to mask their origin. The detection rule identifies successful logins from atypical locations, flagging potential unauthorized access attempts by analyzing login events and user location patterns.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Review the user associated with these sign-ins to determine if the login attempt was legitimate or if further investigation is needed.
|
||||
- Analyze the geographic locations of the logins to identify any patterns or anomalies that may indicate malicious activity.
|
||||
- Review the ISP information for the login attempts to identify any unusual or suspicious providers.
|
||||
- Review the authorization request type to understand the context of the login attempts and whether they align with the user's typical behavior.
|
||||
- Analyze the client application used for the login attempts to determine if it is consistent with the user's normal usage patterns (Teams, Office, etc.)
|
||||
- Analyze the user-agent associated with the login attempts to identify any unusual or suspicious patterns.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Users traveling or using VPNs may trigger this alert. Verify with the user if they were traveling or using a VPN at the time of the login attempt.
|
||||
- Mobile access may also result in false positives, as users may log in from various locations while on the go.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Investigate the login attempt further by checking for any additional context or related events that may provide insight into the user's behavior.
|
||||
- If the login attempt is deemed suspicious, consider implementing additional security measures, such as requiring multi-factor authentication (MFA) for logins from unusual locations.
|
||||
- Educate users about the risks of accessing corporate resources from unfamiliar locations and the importance of using secure connections (e.g., VPNs) when doing so.
|
||||
- Monitor for any subsequent login attempts from the same location or IP address to identify potential patterns of malicious activity.
|
||||
"""
|
||||
references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
|
||||
risk_score = 47
|
||||
rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Domain: SaaS",
|
||||
"Data Source: Microsoft 365",
|
||||
"Data Source: Microsoft 365 Audit Logs",
|
||||
"Use Case: Threat Detection",
|
||||
"Use Case: Identity and Access Audit",
|
||||
"Tactic: Initial Access",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset:o365.audit and
|
||||
event.provider:AzureActiveDirectory and
|
||||
event.action:UserLoggedIn and
|
||||
event.outcome:success and
|
||||
o365.audit.Target.Type:(0 or 10 or 2 or 3 or 5 or 6) and
|
||||
o365.audit.UserId:(* and not "Not Available") and
|
||||
source.geo.region_iso_code:* and
|
||||
o365.audit.Target.ID:(
|
||||
00000006-0000-0ff1-ce00-000000000000 or
|
||||
4765445b-32c6-49b0-83e6-1d93765276ca
|
||||
) and not o365.audit.ApplicationId:(
|
||||
29d9ed98-a469-4536-ade2-f981bc1d605e or
|
||||
38aa3b87-a06d-4817-b275-7a316988d93b or
|
||||
a809996b-059e-42e2-9866-db24b99a9782
|
||||
) and not o365.audit.ExtendedProperties.RequestType:(
|
||||
"Cmsi:Cmsi" or
|
||||
"Consent:Set" or
|
||||
"Login:reprocess" or
|
||||
"Login:resume" or
|
||||
"MessagePrompt:MessagePrompt" or
|
||||
"SAS:EndAuth"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1078"
|
||||
name = "Valid Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1078.004"
|
||||
name = "Cloud Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
|
||||
[rule.investigation_fields]
|
||||
field_names = [
|
||||
"@timestamp",
|
||||
"organization.id",
|
||||
"o365.audit.UserId",
|
||||
"o365.audit.ActorIpAddress",
|
||||
"o365.audit.ApplicationId",
|
||||
"o365.audit.ExtendedProperties.RequestType",
|
||||
"o365.audit.Target.ID",
|
||||
"source.geo.region_iso_code",
|
||||
]
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["o365.audit.UserId", "source.geo.region_iso_code"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-14d"
|
||||
|
||||
|
||||
@@ -0,0 +1,133 @@
|
||||
[metadata]
|
||||
creation_date = "2024/09/04"
|
||||
integration = ["o365"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/08/26"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined
|
||||
as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a
|
||||
Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from
|
||||
a different location.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
False positives may occur when users are using a VPN or when users are traveling to different locations for
|
||||
legitimate purposes.
|
||||
""",
|
||||
]
|
||||
from = "now-15m"
|
||||
index = ["filebeat-*", "logs-o365.audit-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "M365 Portal Login (Impossible Travel)"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating M365 Portal Login (Impossible Travel)
|
||||
|
||||
Microsoft 365's cloud-based services enable global access, but this can be exploited by adversaries logging in from disparate locations within short intervals, indicating potential account compromise. The detection rule identifies such anomalies by analyzing login events for rapid geographic shifts, flagging suspicious activity that may suggest unauthorized access attempts.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Review the user associated with these sign-ins to determine if the login attempt was legitimate or if further investigation is needed.
|
||||
- Analyze the geographic locations of the logins to identify any patterns or anomalies that may indicate malicious activity.
|
||||
- Review the ISP information for the login attempts to identify any unusual or suspicious providers.
|
||||
- Review the authorization request type to understand the context of the login attempts and whether they align with the user's typical behavior.
|
||||
- Analyze the client application used for the login attempts to determine if it is consistent with the user's normal usage patterns (Teams, Office, etc.)
|
||||
- Analyze the user-agent associated with the login attempts to identify any unusual or suspicious patterns.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Users traveling or using VPNs may trigger this alert. Verify with the user if they were traveling or using a VPN at the time of the login attempt.
|
||||
- Mobile access may also result in false positives, as users may log in from various locations while on the go.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Investigate the login attempt further by checking for any additional context or related events that may provide insight into the user's behavior.
|
||||
- If the login attempt is deemed suspicious, consider implementing additional security measures, such as requiring multi-factor authentication (MFA) for logins from unusual locations.
|
||||
- Educate users about the risks of accessing corporate resources from unfamiliar locations and the importance of using secure connections (e.g., VPNs) when doing so.
|
||||
- Monitor for any subsequent login attempts from the same location or IP address to identify potential patterns of malicious activity.
|
||||
"""
|
||||
references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
|
||||
risk_score = 47
|
||||
rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Domain: SaaS",
|
||||
"Data Source: Microsoft 365",
|
||||
"Data Source: Microsoft 365 Audit Logs",
|
||||
"Use Case: Threat Detection",
|
||||
"Use Case: Identity and Access Audit",
|
||||
"Tactic: Initial Access",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
event.dataset:o365.audit and
|
||||
event.provider:AzureActiveDirectory and
|
||||
event.action:UserLoggedIn and
|
||||
event.outcome:success and
|
||||
o365.audit.Target.Type:(0 or 10 or 2 or 3 or 5 or 6) and
|
||||
o365.audit.UserId:(* and not "Not Available") and
|
||||
source.geo.country_name:* and
|
||||
o365.audit.Target.ID:(
|
||||
00000006-0000-0ff1-ce00-000000000000 or
|
||||
4765445b-32c6-49b0-83e6-1d93765276ca
|
||||
) and not o365.audit.ApplicationId:(
|
||||
29d9ed98-a469-4536-ade2-f981bc1d605e or
|
||||
38aa3b87-a06d-4817-b275-7a316988d93b or
|
||||
a809996b-059e-42e2-9866-db24b99a9782
|
||||
) and not o365.audit.ExtendedProperties.RequestType:(
|
||||
"Cmsi:Cmsi" or
|
||||
"Consent:Set" or
|
||||
"Login:reprocess" or
|
||||
"Login:resume" or
|
||||
"MessagePrompt:MessagePrompt" or
|
||||
"SAS:EndAuth"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1078"
|
||||
name = "Valid Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1078.004"
|
||||
name = "Cloud Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
|
||||
[rule.investigation_fields]
|
||||
field_names = [
|
||||
"@timestamp",
|
||||
"organization.id",
|
||||
"o365.audit.UserId",
|
||||
"o365.audit.ActorIpAddress",
|
||||
"o365.audit.ApplicationId",
|
||||
"o365.audit.ExtendedProperties.RequestType",
|
||||
"o365.audit.Target.ID",
|
||||
"source.geo.country_name",
|
||||
]
|
||||
|
||||
[rule.threshold]
|
||||
field = ["o365.audit.UserId"]
|
||||
value = 1
|
||||
[[rule.threshold.cardinality]]
|
||||
field = "source.geo.country_name"
|
||||
value = 2
|
||||
|
||||
|
||||
-104
@@ -1,104 +0,0 @@
|
||||
[metadata]
|
||||
creation_date = "2024/09/04"
|
||||
integration = ["o365"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined
|
||||
as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a
|
||||
Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from
|
||||
a different location.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
False positives may occur when users are using a VPN or when users are traveling to different locations for
|
||||
legitimate purposes.
|
||||
""",
|
||||
]
|
||||
from = "now-15m"
|
||||
index = ["filebeat-*", "logs-o365.audit-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Microsoft 365 Portal Logins from Impossible Travel Locations"
|
||||
references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
|
||||
risk_score = 47
|
||||
rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc"
|
||||
severity = "medium"
|
||||
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "threshold"
|
||||
|
||||
query = '''
|
||||
event.dataset: "o365.audit"
|
||||
and event.provider: "AzureActiveDirectory"
|
||||
and event.action: "UserLoggedIn"
|
||||
and event.outcome: "success"
|
||||
and not o365.audit.UserId: "Not Available"
|
||||
and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
|
||||
'''
|
||||
note = """## Triage and analysis
|
||||
|
||||
> **Disclaimer**:
|
||||
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
||||
|
||||
### Investigating Microsoft 365 Portal Logins from Impossible Travel Locations
|
||||
|
||||
Microsoft 365's cloud-based services enable global access, but this can be exploited by adversaries logging in from disparate locations within short intervals, indicating potential account compromise. The detection rule identifies such anomalies by analyzing login events for rapid geographic shifts, flagging suspicious activity that may suggest unauthorized access attempts.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Review the login events associated with the specific UserId flagged in the alert to confirm the occurrence of logins from different countries within a short time frame.
|
||||
- Check the IP addresses associated with the login events to determine if they are from known or suspicious sources, and verify if they are consistent with the user's typical login behavior.
|
||||
- Investigate the user's recent activity in Microsoft 365 to identify any unusual or unauthorized actions that may indicate account compromise.
|
||||
- Contact the user to verify if they were traveling or using a VPN service that could explain the login from an unexpected location.
|
||||
- Examine any recent changes to the user's account settings or permissions that could suggest unauthorized access or tampering.
|
||||
- Review the organization's security logs and alerts for any other suspicious activities or patterns that might correlate with the detected anomaly.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Frequent business travelers may trigger false positives due to legitimate logins from different countries within short time frames. To manage this, create exceptions for users with known travel patterns by whitelisting their accounts or using conditional access policies.
|
||||
- Use of VPNs or proxy services can result in logins appearing from different geographic locations. Identify and exclude IP ranges associated with trusted VPN services to reduce false positives.
|
||||
- Employees working remotely from different countries may cause alerts. Implement user-based exceptions for remote workers who regularly log in from multiple locations.
|
||||
- Automated systems or services that log in from various locations for legitimate reasons can be mistaken for suspicious activity. Exclude these service accounts from the rule to prevent unnecessary alerts.
|
||||
- Consider time zone differences that might affect the perceived timing of logins. Adjust the rule's sensitivity to account for legitimate time zone shifts that could appear as impossible travel.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately isolate the affected user account by disabling it to prevent further unauthorized access.
|
||||
- Initiate a password reset for the compromised account and enforce multi-factor authentication (MFA) to enhance security.
|
||||
- Review recent login activity and audit logs for the affected account to identify any unauthorized access or data exfiltration attempts.
|
||||
- Notify the user of the suspicious activity and advise them to verify any recent changes or actions taken on their account.
|
||||
- Escalate the incident to the security operations team for further investigation and to determine if other accounts or systems have been compromised.
|
||||
- Implement geo-blocking for high-risk countries or regions where the organization does not typically conduct business to prevent similar unauthorized access attempts.
|
||||
- Update and refine security monitoring rules to enhance detection of similar anomalous login patterns in the future."""
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1078"
|
||||
name = "Valid Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1078.004"
|
||||
name = "Cloud Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
|
||||
[rule.threshold]
|
||||
field = ["o365.audit.UserId"]
|
||||
value = 1
|
||||
[[rule.threshold.cardinality]]
|
||||
field = "source.geo.country_name"
|
||||
value = 2
|
||||
|
||||
|
||||
-103
@@ -1,103 +0,0 @@
|
||||
[metadata]
|
||||
creation_date = "2024/09/04"
|
||||
integration = ["o365"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not
|
||||
commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft
|
||||
365 account from an unusual location or behind a VPN.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
False positives may occur when users are using a VPN or when users are traveling to different locations.
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-o365.audit-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Microsoft 365 Portal Login from Rare Location"
|
||||
references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
|
||||
risk_score = 47
|
||||
rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
|
||||
severity = "medium"
|
||||
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset: "o365.audit"
|
||||
and event.provider: "AzureActiveDirectory"
|
||||
and event.action: "UserLoggedIn"
|
||||
and event.outcome: "success"
|
||||
and not o365.audit.UserId: "Not Available"
|
||||
and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
|
||||
'''
|
||||
note = """## Triage and analysis
|
||||
|
||||
> **Disclaimer**:
|
||||
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
||||
|
||||
### Investigating Microsoft 365 Portal Login from Rare Location
|
||||
|
||||
Microsoft 365 is a cloud-based suite offering productivity tools accessible from anywhere, making it crucial for business operations. Adversaries may exploit this by logging in from uncommon locations, potentially using VPNs to mask their origin. The detection rule identifies successful logins from atypical locations, flagging potential unauthorized access attempts by analyzing login events and user location patterns.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Review the login event details from the o365.audit dataset to confirm the user's identity and the timestamp of the login.
|
||||
- Analyze the location data associated with the login event to determine if it is indeed rare or unusual for the user's typical access patterns.
|
||||
- Check the user's recent login history to identify any other logins from the same rare location or any other unusual locations.
|
||||
- Investigate the IP address used during the login to determine if it is associated with known VPN services or suspicious activity.
|
||||
- Contact the user to verify if they initiated the login from the rare location or if they are aware of any unauthorized access attempts.
|
||||
- Examine any recent changes to the user's account settings or permissions that could indicate compromise or unauthorized access.
|
||||
- Correlate this event with other security alerts or logs to identify any patterns or additional indicators of compromise.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Users traveling frequently may trigger alerts due to logins from new locations. Implement a process to update known travel patterns for these users to reduce false positives.
|
||||
- Employees using VPNs for legitimate purposes might appear to log in from rare locations. Maintain a list of approved VPN IP addresses and exclude them from triggering alerts.
|
||||
- Remote workers who occasionally connect from different locations can cause false positives. Establish a baseline of expected locations for these users and adjust the detection rule accordingly.
|
||||
- Shared accounts accessed by multiple users from different locations can lead to false alerts. Consider monitoring these accounts separately and applying stricter access controls.
|
||||
- Temporary relocations, such as business trips or remote work arrangements, may result in unusual login locations. Communicate with users to anticipate these changes and adjust the detection parameters temporarily.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately isolate the affected user account by disabling it to prevent further unauthorized access.
|
||||
- Notify the user and relevant IT security personnel about the suspicious login activity to ensure awareness and initiate further investigation.
|
||||
- Conduct a password reset for the affected account and enforce multi-factor authentication (MFA) if not already enabled to enhance account security.
|
||||
- Review and analyze recent activity logs for the affected account to identify any unauthorized actions or data access that may have occurred.
|
||||
- If unauthorized access is confirmed, initiate a security incident response plan, including data breach notification procedures if necessary.
|
||||
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or accounts are compromised.
|
||||
- Implement geo-blocking or conditional access policies to restrict access from rare or high-risk locations, reducing the likelihood of similar incidents in the future."""
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1078"
|
||||
name = "Valid Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1078.004"
|
||||
name = "Cloud Accounts"
|
||||
reference = "https://attack.mitre.org/techniques/T1078/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["o365.audit.UserId", "source.geo.country_name"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-14d"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user