Anomalous login followed by Teams action

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

'Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed. Query calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP. To further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges). Please note, if the initial logic of prevalence to find su

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	2b701288-b428-4fb8-805e-e4372c574786
Severity	Medium
Kind	Scheduled
Tactics	InitialAccess, Persistence
Techniques	T1199, T1136, T1078, T1098
Required Connectors	Office365, AzureActiveDirectory, AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
OfficeActivity	✓	✗	?
Operation	?	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules