Sign-ins from Non-Compliant Devices

Monitor and alert for sign-ins where the device was non-compliant.

Sigma rule (View on GitHub)

 1title: Sign-ins from Non-Compliant Devices
 2id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
 3status: test
 4description: Monitor and alert for sign-ins where the device was non-compliant.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
 7author: Michael Epping, '@mepples21'
 8date: 2022-06-28
 9tags:
10    - attack.defense-evasion
11    - attack.t1078.004
12logsource:
13    product: azure
14    service: signinlogs
15detection:
16    selection:
17        DeviceDetail.isCompliant: 'false'
18    condition: selection
19falsepositives:
20    - Unknown
21level: high

References

Related rules

to-top