Azure Unusual Authentication Interruption
Detects when there is a interruption in the authentication process.
Sigma rule (View on GitHub)
1title: Azure Unusual Authentication Interruption
2id: 8366030e-7216-476b-9927-271d79f13cf3
3status: test
4description: Detects when there is a interruption in the authentication process.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
7author: Austin Songer @austinsonger
8date: 2021/11/26
9modified: 2022/12/18
10tags:
11 - attack.initial_access
12 - attack.t1078
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection_50097:
18 ResultType: 50097
19 ResultDescription: 'Device authentication is required'
20 selection_50155:
21 ResultType: 50155
22 ResultDescription: 'DeviceAuthenticationFailed'
23 selection_50158:
24 ResultType: 50158
25 ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
26 condition: 1 of selection_*
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Authentications To Important Apps Using Single Factor Authentication
- Azure Domain Federation Settings Modified