Use of Legacy Authentication Protocols

Alert on when legacy authentication has been used on an account

Sigma rule (View on GitHub)

 1title: Use of Legacy Authentication Protocols
 2id: 60f6535a-760f-42a9-be3f-c9a0a025906e
 3status: test
 4description: Alert on when legacy authentication has been used on an account
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
 7author: Yochana Henderson, '@Yochana-H'
 8date: 2022-06-17
 9tags:
10    - attack.initial-access
11    - attack.credential-access
12    - attack.t1078.004
13    - attack.t1110
14logsource:
15    product: azure
16    service: signinlogs
17detection:
18    selection:
19        ActivityDetails: Sign-ins
20        ClientApp:
21            - Other client
22            - IMAP
23            - POP3
24            - MAPI
25            - SMTP
26            - Exchange ActiveSync
27            - Exchange Web Services
28        Username: 'UPN'
29    condition: selection
30falsepositives:
31    - User has been put in acception group so they can use legacy authentication
32level: high

References

Related rules

to-top