valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0e1c156ddf
SigmaHQ/rules/cloud/m365/microsoft365_impossible_travel_activity.yml
Austin Songer 0a3e57cc12 Update
2021-08-20 02:10:32 +00:00

28 lines
836 B
YAML
Raw Blame History

title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: experimental
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
author: Austin Songer @austinsonger
date: 2020/07/06
modified: 2020/07/06
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: Office365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Impossible travel activity"
status: success
condition: selection
falsepositives:
-
level: medium
tags:
- attack.initial_access
- attack.t1078
Reference in New Issue View Git Blame Copy Permalink