Device Registration or Join Without MFA

Monitor and alert for device registration or join events where MFA was not performed.

Sigma rule (View on GitHub)

 1title: Device Registration or Join Without MFA
 2id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
 3status: test
 4description: Monitor and alert for device registration or join events where MFA was not performed.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
 7author: Michael Epping, '@mepples21'
 8date: 2022/06/28
 9tags:
10    - attack.defense_evasion
11    - attack.t1078.004
12logsource:
13    product: azure
14    service: signinlogs
15detection:
16    selection:
17        ResourceDisplayName: 'Device Registration Service'
18        conditionalAccessStatus: 'success'
19    filter_mfa:
20        AuthenticationRequirement: 'multiFactorAuthentication'
21    condition: selection and not filter_mfa
22falsepositives:
23    - Unknown
24level: medium

References

Related rules

to-top