User Risk and MFA Registration Policy Updated
Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
Sigma rule (View on GitHub)
1title: User Risk and MFA Registration Policy Updated
2id: d4c7758e-9417-4f2e-9109-6125d66dabef
3status: test
4description: |
5 Detects changes and updates to the user risk and MFA registration policy.
6 Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
7references:
8 - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
9 - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
10author: Harjot Singh (@cyb3rjy0t)
11date: 2024-08-13
12tags:
13 - attack.persistence
14logsource:
15 product: azure
16 service: auditlogs
17detection:
18 selection:
19 LoggedByService: 'AAD Management UX'
20 Category: 'Policy'
21 OperationName: 'Update User Risk and MFA Registration Policy'
22 condition: selection
23falsepositives:
24 - Known updates by administrators.
25level: high
References
-
Learn how to configure the Microsoft Entra ID Protection multifactor authentication registration policy.
Read More -
Get an overview of the audit activities that can be logged in your audit logs in Microsoft Entra ID.
Read More
Related rules
- Multi Factor Authentication Disabled For User Account
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Common Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- Potential Amazon SSM Agent Hijacking