Update o365_concurrent_sessions_from_different_ips.yml

nasbench · nasbench · commit d11917e14d51 · 2025-06-02T22:18:24.000+02:00
diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml
@@ -1,7 +1,7 @@
 name: O365 Concurrent Sessions From Different Ips
 id: 58e034de-1f87-4812-9dc3-a4f68c7db930
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-06-02'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -17,7 +17,8 @@ data_source:
 - O365 UserLoggedIn
 search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoggedIn 
   | fillnull 
-  | stats count min(_time) as firstTime max(_time) as lastTime values(src) as src by signature dest user vendor_account vendor_product 
+  | stats count min(_time) as firstTime max(_time) as lastTime values(src) as src 
+    by signature dest user vendor_account vendor_product SessionId
   | where mvcount(src) > 1 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
