O365_AzureAD_UserLoggedIn
ID: 100471
Description:
A behavior rule to track UserLoggedIn operations in Azure Active Directory, by UserId.
This rule indicates the first occurrence of a successful login by the UserId, the login ISP, and login Country. Additionally, this rule also examines the first occurrence of a login ISP within the entity scope.
Notes: LogonError - UserAccountNotFound, InvalidPasswordExpiredPassword, and UserInformationNotProvided events are excluded UserType - 0 Excludes ISP - Microsoft Corporation
Repository: Fluency Group: Office365 Type: event
Default Status:
Enabled
| Tags: | |
|---|---|
| O365 | AzureAD |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | office365 |
| @fields.Operation | UserLoggedIn |
| @fields.UserType | 0 |
| @fields.ResultStatus | Succeeded |
| Success |
| Field | MUST NOT hit |
|---|---|
| @fields._ip.isp | Microsoft Corporation |
| @fields.LogonError | InvalidPasswordExpiredPassword |
| UserAccountNotFound | |
| UserInformationNotProvided |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| Timeline | 0 | - |
Attributes:
| Alias | Key |
|---|---|
| Operation | @fields.Operation |
| Username | @fields.UserId |
| Workload | @fields.Workload |
| City | @fields._ip.city |
| Country | @fields._ip.country |
| ISP | @fields._ip.isp |
| ActorIP | @fields.ActorIpAddress |
| ClientIP | @fields.ClientIP |
| OS | @fields.DevicePropertiesFields.OS |
| BrowserType | @fields.DevicePropertiesFields.BrowserType |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewISP | 30 days | @fields._ip.isp |
| Risks: | ML_NEW_GEO_ISP | |
| NewISP_ES | 30 days | @fields._ip.isp |
| Risks: | ML_NEW_GEO_ISP | |
| NewUser | 30 days | @fields.UserId |
| Risks: | ML_NEW_USER | |
| NewCountry | 30 days | @fields._ip.country |
| Risks: | ML_NEW_GEO_COUNTRY |
History:
| User | Date |
|---|---|
| em*n@fluencysecurity.com | 2021 Mar 17 13:32:44 EDT |
| em*n@fluencysecurity.com | 2021 Mar 17 14:05:47 EDT |
| em*n@fluencysecurity.com | 2021 Mar 17 23:55:11 EDT |
| em*n@fluencysecurity.com | 2021 Mar 18 09:20:09 EDT |
| em*n@fluencysecurity.com | 2021 Mar 18 13:46:18 EDT |
| em*n@fluencysecurity.com | 2021 Mar 19 03:02:05 EDT |
| em*n@fluencysecurity.com | 2021 Mar 19 13:49:07 EDT |
| em*n@fluencysecurity.com | 2021 Mar 25 12:38:47 EDT |
| em*n@fluencysecurity.com | 2021 Mar 25 12:38:59 EDT |
| em*n@fluencysecurity.com | 2021 Mar 25 14:08:36 EDT |
| em*n@fluencysecurity.com | 2021 Jul 6 23:19:15 EDT |
| em*n@fluencysecurity.com | 2021 Jul 13 14:41:27 EDT |
| ho*d@fluencysecurity.com | 2021 Jul 15 00:10:25 EDT |
| ku*n@fluencysecurity.com | 2021 Sep 15 17:20:29 EDT |
| ke*y@fluencysecurity.com | 2021 Sep 22 10:25:56 EDT |
| ke*y@fluencysecurity.com | 2021 Sep 24 09:33:04 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 8 10:53:17 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 8 11:00:10 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 8 11:01:03 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 8 11:03:43 EDT |
| ke*y@fluencysecurity.com | 2021 Nov 2 04:21:19 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)