Azure Device No Longer Managed or Compliant

Identifies when a device in azure is no longer managed or compliant

Sigma rule (View on GitHub)

 1title: Azure Device No Longer Managed or Compliant
 2id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
 3status: test
 4description: Identifies when a device in azure is no longer managed or compliant
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
 7author: Austin Songer @austinsonger
 8date: 2021/09/03
 9modified: 2022/10/09
10tags:
11    - attack.impact
12logsource:
13    product: azure
14    service: activitylogs
15detection:
16    selection:
17        properties.message:
18            - Device no longer compliant
19            - Device no longer managed
20    condition: selection
21falsepositives:
22    - Administrator may have forgotten to review the device.
23level: medium

References

Related rules

to-top