Sign-ins by Unknown Devices
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Sigma rule (View on GitHub)
1title: Sign-ins by Unknown Devices
2id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
3status: test
4description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
7author: Michael Epping, '@mepples21'
8date: 2022-06-28
9modified: 2022-10-05
10tags:
11 - attack.defense-evasion
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection:
18 AuthenticationRequirement: singleFactorAuthentication
19 ResultType: 0
20 NetworkLocationDetails: '[]'
21 DeviceDetail.deviceId: ''
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
-
Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.
Read More
Related rules
- Bitbucket User Login Failure
- Bitlocker Key Retrieval
- Device Registration or Join Without MFA
- Github New Secret Created
- Github Self Hosted Runner Changes Detected