Device Registration or Join Without MFA
Monitor and alert for device registration or join events where MFA was not performed.
Sigma rule (View on GitHub)
1title: Device Registration or Join Without MFA
2id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
3status: test
4description: Monitor and alert for device registration or join events where MFA was not performed.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
7author: Michael Epping, '@mepples21'
8date: 2022/06/28
9tags:
10 - attack.defense_evasion
11 - attack.t1078.004
12logsource:
13 product: azure
14 service: signinlogs
15detection:
16 selection:
17 ResourceDisplayName: 'Device Registration Service'
18 conditionalAccessStatus: 'success'
19 filter_mfa:
20 AuthenticationRequirement: 'multiFactorAuthentication'
21 condition: selection and not filter_mfa
22falsepositives:
23 - Unknown
24level: medium
References
-
Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.
Read More
Related rules
- Bitlocker Key Retrieval
- Guest User Invited By Non Approved Inviters
- Sign-ins by Unknown Devices
- Sign-ins from Non-Compliant Devices
- User Added To Privilege Role