Azure Device No Longer Managed or Compliant
Identifies when a device in azure is no longer managed or compliant
Sigma rule (View on GitHub)
1title: Azure Device No Longer Managed or Compliant
2id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
3status: test
4description: Identifies when a device in azure is no longer managed or compliant
5references:
6 - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
7author: Austin Songer @austinsonger
8date: 2021-09-03
9modified: 2026-04-30
10tags:
11 - attack.impact
12logsource:
13 product: azure
14 service: auditlogs
15detection:
16 selection:
17 operationName:
18 - 'Device no longer compliant'
19 - 'Device no longer managed'
20 condition: selection
21falsepositives:
22 - Administrator may have forgotten to review the device.
23level: medium
References
Related rules
- Azure Application Deleted
- Antivirus - Ransomware Signature
- Renamed Sysinternals Sdelete Execution
- Suspicious Volume Shadow Copy Vssapi.dll Load
- LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089