AlienVault® USM Anywhere™

Tutorial: Create a Notification Rule for Office 365 Users Logged In from a Different Location than Assigned

As a cloud-based subscription service, Microsoft Office 365 enables users to create and share from anywhere on any device. This can be problematic for some organizations so Microsoft also provides conditional access policies to limit user access based on their locations. With a configured AlienApp for Office 365 and a notification rule, you can let USM Anywhere inform you when a user logs into Office 365 from a location other than the one they are assigned to. This tutorial provides step-by-step instructions on how to create such a rule in USM Anywhere.

To create a notification rule for Office 365 user logged in events

  1. If not done already, enable and configure the AlienApp for Office 365.
  2. Go to the Office 365 Azure Active Directory Dashboard and under Login Activity, click the graph where the event count is not zero.

    This takes you to the Events page showing Office 365 Azure Active Directory (AD) login failure or success events. You can also directly go to the Events page and search for these events.

  3. Click one of the events to open event details on the right.
  4. Select Create Rule > Create Notification Rule.
  5. Type a name for the rule and select a notification method of your preference.
  6. USM Anywhere prepopulates the rule conditions based on the event. You can delete some conditions to make the rule more generic.
  7. To match a user logging in from a location other than the one they are assigned to, you need to add the following conditions

    Source Registered Country != <user assigned location>

    Source Address 6 == ""

    Note: The "Source Address 6 is empty" condition prevents any device with an IP version 6 (IPv6) address from triggering this rule. AT&T Cybersecurity recommends adding this condition because IPv6 geolocation is relatively new and its current database is incomplete.

  8. To match all login events, make sure that you include every condition shown in this screenshot.

    Note: If you want the rule to only match successful login events or failed login events, you can add the Event Name condition and set it equal to UserLoggedIn or UserLoginFailed respectively.

  9. Save the rule.