Sign-ins from Non-Compliant Devices
Monitor and alert for sign-ins where the device was non-compliant.
Sigma rule (View on GitHub)
1title: Sign-ins from Non-Compliant Devices
2id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
3status: test
4description: Monitor and alert for sign-ins where the device was non-compliant.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
7author: Michael Epping, '@mepples21'
8date: 2022-06-28
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.initial-access
13 - attack.defense-evasion
14 - attack.t1078.004
15logsource:
16 product: azure
17 service: signinlogs
18detection:
19 selection:
20 DeviceDetail.isCompliant: 'false'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS SAML Provider Deletion Activity