Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
Sigma rule (View on GitHub)
1title: Azure AD Only Single Factor Authentication Required
2id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
3status: test
4description: Detect when users are authenticating without MFA being required.
5references:
6 - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts
7author: MikeDuddington, '@dudders1'
8date: 2022/07/27
9tags:
10 - attack.initial_access
11 - attack.credential_access
12 - attack.t1078.004
13 - attack.t1556.006
14logsource:
15 product: azure
16 service: signinlogs
17detection:
18 selection:
19 Status: 'Success'
20 AuthenticationRequirement: 'singleFactorAuthentication'
21 condition: selection
22falsepositives:
23 - If this was approved by System Administrator.
24level: low
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Interrupted
- Sign-in Failure Due to Conditional Access Requirements Not Met
- Successful Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied