Office 365 Login Analyzer
Overview
One of the first indications of an attack may be unexpected or repeated login attempts from unusual locations, even outside the country. An effective defense can be as simple as monitoring for login attempts originating outside the country. Unfortunately, this seemingly simple task is more complicated in a cloud environment.
The Office 365 Login Analyzer app tracks login attempts across all organizations and alerts you when an attempt to log in from a foreign country occurs. In the configuration settings, you can configure what countries you expect to use your cloud instances independently for each organization or even allowlist individual IPs.
Configuring the Office 365 Login Analyzer settings
To configure the Office 365 Login Analyzer settings, follow these steps:
-
In the left menu, click Dashboard.
-
In the Office 365 Login Analyzer app card, click Configure.
-
The Office 365 Login Analyzer App Configuration page will open. Here, you can turn alerts for specific countries on or off. When a country is set to on (indicated by a green toggle), you will not receive alerts for that country.
-
If you turn on the Enable all countries toggle, a warning prompt will appear:
-
You can turn on a toggle to report all failed logins, even from an allowlisted country.
-
Click Update.
-
You will then be redirected back to the Dashboard, where a confirmation success message will be displayed in the bottom-right corner.
Reviewing login events
You are back in the Dashboard. To review login attempts to your Office 365 instance, follow these steps:
-
In the Office 365 Login Analyzer app card, click Review.
-
The Office 365 Login Analyzer Events page will open. This page displays various columns that provide details on the login attempts, including the following:
-
The user attempting to log in
-
Their location
-
The event verdict (which can be informational, suspicious, or malicious)
-
The result of the login attempt (whether it was a Failure or a Success)
-
The date of detection
-
The name of the organization
-
-
For detailed information, click Details next to the event you want to learn more about.
-
Upon clicking Details, a new window will show the event details.
-
To request that event data be sent to your email, select the checkbox next to the events you wish to receive the data about.
-
Then, choose either CSV or JSON in the upper-right corner and click Download.
-
A message will appear confirming that you have received an email with links to download the requested data. Click OK.
When to be concerned
You should cautious in the following situations:
-
If you receive a large number of login attempts, especially successful ones.
-
If there are login attempts from new accounts, accounts with unusual names or names that do not follow your naming conventions, or accounts you have never seen before (especially if you are familiar with an organization's users), investigate immediately.
-
If there are login attempts from countries where your organization does not have employees, particularly Russia, China, or Iran, investigate immediately.
-
If you receive login alerts with non-zero reputation detections (i.e., at least one red dot in the alert circles), investigate immediately.
If this seems overwhelming, consider our Managed SOC plan. We will investigate and triage all login attempts, allowing you to relax.
When not to be concerned
Do not worry in the following cases:
-
If your customer travels for business to a foreign country and there are a few successful logins from that location, it is likely a legitimate employee accessing the network while on a business trip.
-
If you notice logins occurring at unusual times of the day or outside business hours, this could be malicious. However, keep in mind time zones. A login from someone in England that happens at 4 a.m. in the USA is reasonable. England is 5-8 hours ahead of North American working hours (depending on Daylight Savings Time).
