Change to Authentication Method

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Sigma rule (View on GitHub)

 1title: Change to Authentication Method
 2id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
 3status: test
 4description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: AlertIQ
 8date: 2021/10/10
 9modified: 2022/12/25
10tags:
11    - attack.credential_access
12    - attack.t1556
13    - attack.persistence
14    - attack.defense_evasion
15    - attack.t1098
16logsource:
17    product: azure
18    service: auditlogs
19detection:
20    selection:
21        LoggedByService: 'Authentication Methods'
22        Category: 'UserManagement'
23        OperationName: 'User registered security info'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top