Authentications To Important Apps Using Single Factor Authentication
Detect when authentications to important application(s) only required single-factor authentication
Sigma rule (View on GitHub)
1title: Authentications To Important Apps Using Single Factor Authentication
2id: f272fb46-25f2-422c-b667-45837994980f
3status: test
4description: Detect when authentications to important application(s) only required single-factor authentication
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
7author: MikeDuddington, '@dudders1'
8date: 2022-07-28
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.initial-access
14 - attack.t1078
15logsource:
16 product: azure
17 service: signinlogs
18detection:
19 selection:
20 Status: 'Success'
21 AppId: 'Insert Application ID use OR for multiple'
22 AuthenticationRequirement: 'singleFactorAuthentication'
23 condition: selection
24falsepositives:
25 - If this was approved by System Administrator.
26level: medium
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- AWS Key Pair Import Activity
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Azure Domain Federation Settings Modified
- Azure Kubernetes Admission Controller