Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
Sigma rule (View on GitHub)
1title: Azure AD Only Single Factor Authentication Required
2id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
3status: test
4description: Detect when users are authenticating without MFA being required.
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
7author: MikeDuddington, '@dudders1'
8date: 2022-07-27
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.initial-access
13 - attack.credential-access
14 - attack.stealth
15 - attack.defense-impairment
16 - attack.t1078.004
17 - attack.t1556.006
18logsource:
19 product: azure
20 service: signinlogs
21detection:
22 selection:
23 Status: 'Success'
24 AuthenticationRequirement: 'singleFactorAuthentication'
25 condition: selection
26falsepositives:
27 - If this was approved by System Administrator.
28level: low
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Bitbucket User Login Failure
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied