Suspicious SignIns From A Non Registered Device
Detects risky authencaition from a non AD registered device without MFA being required.
Sigma rule (View on GitHub)
1title: Suspicious SignIns From A Non Registered Device
2id: 572b12d4-9062-11ed-a1eb-0242ac120002
3status: test
4description: Detects risky authencaition from a non AD registered device without MFA being required.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
7author: Harjot Singh, '@cyb3rjy0t'
8date: 2023/01/10
9tags:
10 - attack.defense_evasion
11 - attack.t1078
12logsource:
13 product: azure
14 service: signinlogs
15detection:
16 selection:
17 Status: 'Success'
18 AuthenticationRequirement: 'singleFactorAuthentication'
19 DeviceDetail.trusttype: ''
20 RiskState: 'atRisk'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.
Read More
Related rules
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5
- Impossible Travel