Rule
Microsoft 365 Anomalous Login
Purpose
This detection identifies potentially compromised Office 365 accounts with sign-in scenarios that are anomalous in nature. In this case, we are looking at every unique sign-in and comparing them with the last 90 days usual sign-in characteristics of login for a user such as source geo city rarity, geo country rarity, source IP rarity, user agent rarity, distance travelled from the user's usual location of login, high confidence countries check and suspicious countries check to identify the anomaly using an ML model.
Objective
Detect anomalous logins based on unusual activity patterns.
How to test
Use the test user account to simulate an anomalous login by:
Login from a rare geographic location (using a VPN).
Using an unusual IP address or rare user agent string (e.g., different browser or device).