Sign-ins by Unknown Devices
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Sigma rule (View on GitHub)
1title: Sign-ins by Unknown Devices
2id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
3status: test
4description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
7author: Michael Epping, '@mepples21'
8date: 2022/06/28
9modified: 2022/10/05
10tags:
11 - attack.defense_evasion
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection:
18 AuthenticationRequirement: singleFactorAuthentication
19 ResultType: 0
20 NetworkLocationDetails: '[]'
21 DeviceDetail.deviceId: ''
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
Related rules
- Bitlocker Key Retrieval
- Device Registration or Join Without MFA
- Guest User Invited By Non Approved Inviters
- Sign-ins from Non-Compliant Devices
- User Added To Privilege Role