Azure Unusual Authentication Interruption

Aug 12, 2024 · attack.initial-access attack.t1078 ·

Detects when there is a interruption in the authentication process.

Sigma rule (View on GitHub)

 1title: Azure Unusual Authentication Interruption
 2id: 8366030e-7216-476b-9927-271d79f13cf3
 3status: test
 4description: Detects when there is a interruption in the authentication process.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: Austin Songer @austinsonger
 8date: 2021-11-26
 9modified: 2022-12-18
10tags:
11    - attack.initial-access
12    - attack.t1078
13logsource:
14    product: azure
15    service: signinlogs
16detection:
17    selection_50097:
18        ResultType: 50097
19        ResultDescription: 'Device authentication is required'
20    selection_50155:
21        ResultType: 50155
22        ResultDescription: 'DeviceAuthenticationFailed'
23    selection_50158:
24        ResultType: 50158
25        ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
26    condition: 1 of selection_*
27falsepositives:
28    - Unknown
29level: medium

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.

Read More

Azure Unusual Authentication Interruption

Sigma rule (View on GitHub)

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Related rules