O365_Logins_From_Different_ISPs
ID: 100204
Description:
A user logged in from two different ISPs within 8 hours
Repository: Group: Office365 Type: event
Default Status:
Enabled
| Tags: |
|---|
| Office365 |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | office365 |
| @fields.Operation | UserLoggedIn |
| @fields.UserType | 0 |
| @fields.ResultStatus | Succeeded |
| Success |
| Field | MUST NOT hit |
|---|---|
| @fields.LogonError | UserInformationNotProvided |
| InvalidPasswordExpiredPassword | |
| UserAccountNotFound |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| Operation | @fields.Operation |
| Username | @fields.UserId |
| Workload | @fields.Workload |
| City | @fields._ip.city |
| Country | @fields._ip.country |
| ISP | @fields._ip.isp |
Correlation Rules:
Aggregation:
| Name | Window | Field | AggType | Match |
|---|---|---|---|---|
| DifferentISP | 8 hours | @fields._ip.isp | cardinality | gt 4 |
| Risks: | SUSPICIOUS_GEO |
History:
| User | Date |
|---|---|
| em*n@fluencysecurity.com | 2021 Mar 16 09:44:17 EDT |
| em*n@fluencysecurity.com | 2021 Mar 16 13:26:49 EDT |
| em*n@fluencysecurity.com | 2021 Mar 16 17:18:43 EDT |
| em*n@fluencysecurity.com | 2021 Mar 17 09:06:11 EDT |
| em*n@fluencysecurity.com | 2021 Mar 17 14:06:55 EDT |
| em*n@fluencysecurity.com | 2021 Mar 17 23:57:12 EDT |
| em*n@fluencysecurity.com | 2021 Mar 18 13:47:49 EDT |
| em*n@fluencysecurity.com | 2021 Mar 19 03:01:09 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)