Sign-ins by Unknown Devices

Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.

Sigma rule (View on GitHub)

 1title: Sign-ins by Unknown Devices
 2id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
 3status: test
 4description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
 7author: Michael Epping, '@mepples21'
 8date: 2022-06-28
 9modified: 2022-10-05
10tags:
11    - attack.defense-evasion
12    - attack.t1078.004
13logsource:
14    product: azure
15    service: signinlogs
16detection:
17    selection:
18        AuthenticationRequirement: singleFactorAuthentication
19        ResultType: 0
20        NetworkLocationDetails: '[]'
21        DeviceDetail.deviceId: ''
22    condition: selection
23falsepositives:
24    - Unknown
25level: low

References

Related rules

to-top