Azure Device No Longer Managed or Compliant

 1title: Azure Device No Longer Managed or Compliant
 2id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
 3status: test
 4description: Identifies when a device in azure is no longer managed or compliant
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
 7author: Austin Songer @austinsonger
 8date: 2021-09-03
 9modified: 2022-10-09
10tags:
11    - attack.impact
12logsource:
13    product: azure
14    service: activitylogs
15detection:
16    selection:
17        properties.message:
18            - Device no longer compliant
19            - Device no longer managed
20    condition: selection
21falsepositives:
22    - Administrator may have forgotten to review the device.
23level: medium

References

• Microsoft Entra audit log activity reference - Microsoft Entra ID

  

  Get an overview of the audit activities that can be logged in your audit logs in Microsoft Entra ID.

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AWS EC2 Disable EBS Encryption
• AWS EFS Fileshare Modified or Deleted
• AWS EFS Fileshare Mount Modified or Deleted