Abnormal successful Microsoft 365 Exchange login event

Docs > Datadog Security > OOTB Rules > Abnormal successful Microsoft 365 Exchange login event

Classification:

attack

Tactic:

Technique:

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect an Impossible Travel event by a user logging in to Microsoft Exchange.

Strategy

The Impossible Travel detection type’s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (@evt.name:MailboxLogin) to determine if the user {{@usr.name}} traveled more than 500km at over 1,000km/hr.

Triage and response

Determine if {{@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.
If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.
Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.