Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
Sigma rule (View on GitHub)
1title: Azure AD Only Single Factor Authentication Required
2id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
3status: test
4description: Detect when users are authenticating without MFA being required.
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
7author: MikeDuddington, '@dudders1'
8date: 2022-07-27
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.initial-access
14 - attack.credential-access
15 - attack.t1078.004
16 - attack.t1556.006
17logsource:
18 product: azure
19 service: signinlogs
20detection:
21 selection:
22 Status: 'Success'
23 AuthenticationRequirement: 'singleFactorAuthentication'
24 condition: selection
25falsepositives:
26 - If this was approved by System Administrator.
27level: low
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Bitbucket User Login Failure
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied