Detectionmediumtest

Microsoft 365 - Impossible Travel Activity

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Mon Jul 06Updated Sat Nov 27d7eab125-5f94-43df-8710-795b80fa1189cloud

Log Source

Microsoft 365threat_management

ProductMicrosoft 365← raw: m365

Servicethreat_management← raw: threat_management

Detection Logic

detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Impossible travel activity'
        status: success
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

d7eab125-5f94-43df-8710-795b80fa1189

Status

test

Level

medium

Type

Detection

Created

Mon Jul 06

Modified

Sat Nov 27

Author

Austin Songer

Path

rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078

View on GitHub