Link Search Menu Expand Document

O365_AzureAD_UserLoggedIn

ID: 100471

Description:

A behavior rule to track UserLoggedIn operations in Azure Active Directory, by UserId.

This rule indicates the first occurrence of a successful login by the UserId, the login ISP, and login Country. Additionally, this rule also examines the first occurrence of a login ISP within the entity scope.

Notes: LogonError - UserAccountNotFound, InvalidPasswordExpiredPassword, and UserInformationNotProvided events are excluded UserType - 0 Excludes ISP - Microsoft Corporation

Repository: Group: Office365 Type: event

Default Status:

Enabled

Tags:  
O365 AzureAD
   

Selector:

Query:

Filters:

Field MUST hit
@sender office365
@fields.Operation UserLoggedIn
@fields.UserType 0
@fields.ResultStatus Succeeded
  Success
Field MUST NOT hit
@fields._ip.isp Microsoft Corporation
@fields.LogonError InvalidPasswordExpiredPassword
  UserAccountNotFound
  UserInformationNotProvided

Behavior Rule:

Key Type Behavior Category
@fields.UserId username application activity

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
Operation @fields.Operation
Username @fields.UserId
Workload @fields.Workload
City @fields._ip.city
Country @fields._ip.country
ISP @fields._ip.isp
ActorIP @fields.ActorIpAddress
ClientIP @fields.ClientIP
OS @fields.DevicePropertiesFields.OS
BrowserType @fields.DevicePropertiesFields.BrowserType

Correlation Rules:

First Occurrence:

Name Window Fields
NewISP 20 days @fields._ip.isp
  Risks: SUSPICIOUS_GEO
NewISP_ES 20 days @fields._ip.isp
  Risks: SUSPICIOUS_GEO
NewUser 20 days @fields.UserId
  Risks: ML_NEW_USER
NewCountry 30 days @fields._ip.country
  Risks: ML_NEW_GEO_COUNTRY

History:

User Date
em*n@fluencysecurity.com 2021 Mar 17 13:32:44 EDT
em*n@fluencysecurity.com 2021 Mar 17 14:05:47 EDT
em*n@fluencysecurity.com 2021 Mar 17 23:55:11 EDT
em*n@fluencysecurity.com 2021 Mar 18 09:20:09 EDT
em*n@fluencysecurity.com 2021 Mar 18 13:46:18 EDT
em*n@fluencysecurity.com 2021 Mar 19 03:02:05 EDT
em*n@fluencysecurity.com 2021 Mar 19 13:49:07 EDT
em*n@fluencysecurity.com 2021 Mar 25 12:38:47 EDT
em*n@fluencysecurity.com 2021 Mar 25 12:38:59 EDT
em*n@fluencysecurity.com 2021 Mar 25 14:08:36 EDT
em*n@fluencysecurity.com 2021 Jul 6 23:19:15 EDT
em*n@fluencysecurity.com 2021 Jul 13 14:41:27 EDT
ho*d@fluencysecurity.com 2021 Jul 15 00:10:25 EDT
ku*n@fluencysecurity.com 2021 Sep 15 17:20:29 EDT
ke*y@fluencysecurity.com 2021 Sep 22 10:25:56 EDT
ke*y@fluencysecurity.com 2021 Sep 24 09:33:04 EDT
ho*d@fluencysecurity.com 2021 Oct 8 10:53:17 EDT
ho*d@fluencysecurity.com 2021 Oct 8 11:00:10 EDT
ho*d@fluencysecurity.com 2021 Oct 8 11:01:03 EDT
ho*d@fluencysecurity.com 2021 Oct 8 11:03:43 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)