Device Registration or Join Without MFA
Monitor and alert for device registration or join events where MFA was not performed.
Sigma rule (View on GitHub)
1title: Device Registration or Join Without MFA
2id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
3status: test
4description: Monitor and alert for device registration or join events where MFA was not performed.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
7author: Michael Epping, '@mepples21'
8date: 2022-06-28
9tags:
10 - attack.defense-evasion
11 - attack.t1078.004
12logsource:
13 product: azure
14 service: signinlogs
15detection:
16 selection:
17 ResourceDisplayName: 'Device Registration Service'
18 conditionalAccessStatus: 'success'
19 filter_mfa:
20 AuthenticationRequirement: 'multiFactorAuthentication'
21 condition: selection and not filter_mfa
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Bitbucket User Login Failure
- Bitlocker Key Retrieval
- Github New Secret Created
- Github Self Hosted Runner Changes Detected
- Guest User Invited By Non Approved Inviters