Sign In Rules

9 detection rules in this category.

Rule	Severity	MITRE	Source
Account locked out	High	T1110.001	SignIn
Anomalous token	High	T1528	SignIn
Anonymous IP sign-in	High	T1090.003	SignIn
High risk sign-in	Critical	T1078.004	SignIn
Impossible travel sign-in	Critical	T1078.004	SignIn
Leaked credentials detected	Critical	T1078.004	SignIn
Malware-linked IP sign-in	Critical	T1078.004	SignIn
Password spray attack	Critical	T1110.003	SignIn
Suspicious inbox manipulation	Critical	T1114.003	SignIn

Account locked out

Property	Value
Severity	🟠 High
Source	SignIn
MITRE	T1110.001 (Credential Access)

Account locked - possible brute force attack

Conditions

Match: all
status.errorCode Equals 50053

Anomalous token

Property	Value
Severity	🟠 High
Source	SignIn
MITRE	T1528 (Credential Access)

Anomalous token detected - possible token theft

Conditions

Match: all
riskEventTypes Contains anomalousToken

Property	Value
Severity	🟠 High
Source	SignIn
MITRE	T1090.003 (Defense Evasion)

Sign-in from anonymous IP (VPN/Tor)

Conditions

Match: all
riskEventTypes Contains anonymizedIPAddress

Property	Value
Severity	🔴 Critical
Source	SignIn
MITRE	T1078.004 (Initial Access)

High risk sign-in detected by Identity Protection

Conditions

Match: all
riskLevelDuringSignIn Equals high

Property	Value
Severity	🔴 Critical
Source	SignIn
MITRE	T1078.004 (Initial Access)

Impossible travel - sign-in from distant location

Conditions

Match: all
riskEventTypes Contains impossibleTravel

Leaked credentials detected

Property	Value
Severity	🔴 Critical
Source	SignIn
MITRE	T1078.004 (Initial Access)

User credentials found in breach database

Conditions

Match: all
riskEventTypes Contains leakedCredentials

Property	Value
Severity	🔴 Critical
Source	SignIn
MITRE	T1078.004 (Initial Access)

Sign-in from IP linked to malware

Conditions

Match: all
riskEventTypes Contains malwareInfectedIPAddress

Password spray attack

Property	Value
Severity	🔴 Critical
Source	SignIn
MITRE	T1110.003 (Credential Access)

Password spray attack detected

Conditions

Match: all
riskEventTypes Contains passwordSpray

Suspicious inbox manipulation

Property	Value
Severity	🔴 Critical
Source	SignIn
MITRE	T1114.003 (Collection)

Suspicious inbox forwarding detected post-sign-in

Conditions

Match: all
riskEventTypes Contains suspiciousInboxForwarding

Sign In Rules ​

Account locked out ​

Anomalous token ​

Anonymous IP sign-in ​

High risk sign-in ​

Impossible travel sign-in ​

Leaked credentials detected ​

Malware-linked IP sign-in ​

Password spray attack ​

Suspicious inbox manipulation ​

Account locked out

Anomalous token

Anonymous IP sign-in

High risk sign-in

Impossible travel sign-in

Leaked credentials detected

Malware-linked IP sign-in

Password spray attack

Suspicious inbox manipulation