Azure Unusual Authentication Interruption

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.t1078 ·

Share on:

Detects when there is a interruption in the authentication process.

Sigma rule (View on GitHub)

 1title: Azure Unusual Authentication Interruption
 2id: 8366030e-7216-476b-9927-271d79f13cf3
 3status: test
 4description: Detects when there is a interruption in the authentication process.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: Austin Songer @austinsonger
 8date: 2021-11-26
 9modified: 2022-12-18
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.initial-access
15    - attack.t1078
16logsource:
17    product: azure
18    service: signinlogs
19detection:
20    selection_50097:
21        ResultType: 50097
22        ResultDescription: 'Device authentication is required'
23    selection_50155:
24        ResultType: 50155
25        ResultDescription: 'DeviceAuthenticationFailed'
26    selection_50158:
27        ResultType: 50158
28        ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
29    condition: 1 of selection_*
30falsepositives:
31    - Unknown
32level: medium

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.

Read More

Azure Unusual Authentication Interruption

Sigma rule (View on GitHub)

References

Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

Related rules