Sign-ins by Unknown Devices
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Sigma rule (View on GitHub)
1title: Sign-ins by Unknown Devices
2id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
3status: test
4description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
7author: Michael Epping, '@mepples21'
8date: 2022-06-28
9modified: 2022-10-05
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.initial-access
14 - attack.defense-evasion
15 - attack.t1078.004
16logsource:
17 product: azure
18 service: signinlogs
19detection:
20 selection:
21 AuthenticationRequirement: singleFactorAuthentication
22 ResultType: 0
23 NetworkLocationDetails: '[]'
24 DeviceDetail.deviceId: ''
25 condition: selection
26falsepositives:
27 - Unknown
28level: low
References
-
Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS SAML Provider Deletion Activity