Sign-ins from Non-Compliant Devices
Monitor and alert for sign-ins where the device was non-compliant.
Sigma rule (View on GitHub)
1title: Sign-ins from Non-Compliant Devices
2id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
3status: test
4description: Monitor and alert for sign-ins where the device was non-compliant.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
7author: Michael Epping, '@mepples21'
8date: 2022/06/28
9tags:
10 - attack.defense_evasion
11 - attack.t1078.004
12logsource:
13 product: azure
14 service: signinlogs
15detection:
16 selection:
17 DeviceDetail.isCompliant: 'false'
18 condition: selection
19falsepositives:
20 - Unknown
21level: high
References
Related rules
- Bitlocker Key Retrieval
- Device Registration or Join Without MFA
- Guest User Invited By Non Approved Inviters
- Sign-ins by Unknown Devices
- User Added To Privilege Role