Use of Legacy Authentication Protocols
Alert on when legacy authentication has been used on an account
Sigma rule (View on GitHub)
1title: Use of Legacy Authentication Protocols
2id: 60f6535a-760f-42a9-be3f-c9a0a025906e
3status: test
4description: Alert on when legacy authentication has been used on an account
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
7author: Yochana Henderson, '@Yochana-H'
8date: 2022-06-17
9tags:
10 - attack.initial-access
11 - attack.credential-access
12 - attack.t1078.004
13 - attack.t1110
14logsource:
15 product: azure
16 service: signinlogs
17detection:
18 selection:
19 ActivityDetails: Sign-ins
20 ClientApp:
21 - Other client
22 - IMAP
23 - POP3
24 - MAPI
25 - SMTP
26 - Exchange ActiveSync
27 - Exchange Web Services
28 Username: 'UPN'
29 condition: selection
30falsepositives:
31 - User has been put in acception group so they can use legacy authentication
32level: high
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Potential MFA Bypass Using Legacy Client Authentication
- Sign-in Failure Due to Conditional Access Requirements Not Met