From 945d17fba988a52d0814ea9dd68c8f2651c64c8f Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 23 Mar 2026 11:02:29 -0400 Subject: [PATCH 1/2] [Rule Tuning] M365 Identity Login from Atypical Travel Location - Reduce FP Noise Fixes #5865 --- ...entra_id_portal_login_atypical_travel.toml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml index 422081e6b6c..8bceed6f78e 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2025/10/30" +updated_date = "2026/03/23" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ event.dataset:o365.audit and event.outcome:success and o365.audit.Target.Type:(0 or 10 or 2 or 3 or 5 or 6) and o365.audit.UserId:(* and not "Not Available") and - source.geo.region_iso_code:* and + source.geo.country_iso_code:* and not o365.audit.ApplicationId:( 29d9ed98-a469-4536-ade2-f981bc1d605e or 38aa3b87-a06d-4817-b275-7a316988d93b or @@ -84,11 +84,16 @@ event.dataset:o365.audit and ) and not o365.audit.ExtendedProperties.RequestType:( "Cmsi:Cmsi" or "Consent:Set" or + "DeviceAuth:ReprocessTls" or + "Kmsi:kmsi" or "Login:reprocess" or "Login:resume" or "MessagePrompt:MessagePrompt" or - "SAS:EndAuth" - ) + "Saml2:processrequest" or + "SAS:EndAuth" or + "SAS:ProcessAuth" + ) and + not user_agent.original:(*iPhone* or *iPad* or *Android* or *PKeyAuth*) ''' @@ -119,14 +124,14 @@ field_names = [ "o365.audit.ApplicationId", "o365.audit.ExtendedProperties.RequestType", "o365.audit.Target.ID", - "source.geo.region_iso_code", + "source.geo.country_iso_code", ] [rule.new_terms] field = "new_terms_fields" -value = ["o365.audit.UserId", "source.geo.region_iso_code"] +value = ["o365.audit.UserId", "source.geo.country_iso_code"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d" From 4f8cc0df841e9b3088208583b193c0aa6929f572 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 25 Mar 2026 12:17:30 -0400 Subject: [PATCH 2/2] removing CMSI for FNs --- .../initial_access_entra_id_portal_login_atypical_travel.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml index 8bceed6f78e..1655de624b2 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml @@ -82,7 +82,6 @@ event.dataset:o365.audit and 38aa3b87-a06d-4817-b275-7a316988d93b or a809996b-059e-42e2-9866-db24b99a9782 ) and not o365.audit.ExtendedProperties.RequestType:( - "Cmsi:Cmsi" or "Consent:Set" or "DeviceAuth:ReprocessTls" or "Kmsi:kmsi" or