Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Sigma rule (View on GitHub)
1title: Change to Authentication Method
2id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
3status: test
4description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
7author: AlertIQ
8date: 2021-10-10
9modified: 2022-12-25
10tags:
11 - attack.privilege-escalation
12 - attack.credential-access
13 - attack.t1556
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.t1098
17logsource:
18 product: azure
19 service: auditlogs
20detection:
21 selection:
22 LoggedByService: 'Authentication Methods'
23 Category: 'UserManagement'
24 OperationName: 'User registered security info'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- Certificate-Based Authentication Enabled
- New Root Certificate Authority Added
- User Added To Group With CA Policy Modification Access