Link Search Menu Expand Document

O365_Logins_From_Different_ISPs

ID: 100204

Description:

A user logged in from two different ISPs within 8 hours

Repository: Group: Office365 Type: event

Default Status:

Enabled

Tags:
Office365
 

Selector:

Query:

Filters:

Field MUST hit
@sender office365
@fields.Operation UserLoggedIn
@fields.UserType 0
@fields.ResultStatus Succeeded
  Success
Field MUST NOT hit
@fields.LogonError UserInformationNotProvided
  InvalidPasswordExpiredPassword
  UserAccountNotFound

Behavior Rule:

Key Type Behavior Category
@fields.UserId username application activity

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
Operation @fields.Operation
Username @fields.UserId
Workload @fields.Workload
City @fields._ip.city
Country @fields._ip.country
ISP @fields._ip.isp

Correlation Rules:

Aggregation:

Name Window Field AggType Match
DifferentISP 8 hours @fields._ip.isp cardinality gt 4
  Risks: SUSPICIOUS_GEO    

History:

User Date
em*n@fluencysecurity.com 2021 Mar 16 09:44:17 EDT
em*n@fluencysecurity.com 2021 Mar 16 13:26:49 EDT
em*n@fluencysecurity.com 2021 Mar 16 17:18:43 EDT
em*n@fluencysecurity.com 2021 Mar 17 09:06:11 EDT
em*n@fluencysecurity.com 2021 Mar 17 14:06:55 EDT
em*n@fluencysecurity.com 2021 Mar 17 23:57:12 EDT
em*n@fluencysecurity.com 2021 Mar 18 13:47:49 EDT
em*n@fluencysecurity.com 2021 Mar 19 03:01:09 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)