Suspicious SignIns From A Non Registered Device
Detects risky authentication from a non AD registered device without MFA being required.
Sigma rule (View on GitHub)
1title: Suspicious SignIns From A Non Registered Device
2id: 572b12d4-9062-11ed-a1eb-0242ac120002
3status: test
4description: Detects risky authentication from a non AD registered device without MFA being required.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
7author: Harjot Singh, '@cyb3rjy0t'
8date: 2023-01-10
9modified: 2025-07-02
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.initial-access
14 - attack.defense-evasion
15 - attack.t1078
16logsource:
17 product: azure
18 service: signinlogs
19detection:
20 selection_main:
21 Status: 'Success'
22 AuthenticationRequirement: 'singleFactorAuthentication'
23 RiskState: 'atRisk'
24 selection_empty1:
25 DeviceDetail.trusttype: ''
26 selection_empty2:
27 DeviceDetail.trusttype: null
28 condition: selection_main and 1 of selection_empty*
29falsepositives:
30 - Unknown
31level: high
References
-
Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.
Read More
Related rules
- AWS Key Pair Import Activity
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Authentications To Important Apps Using Single Factor Authentication
- Azure Domain Federation Settings Modified