Users Authenticating To Other Azure AD Tenants
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
Sigma rule (View on GitHub)
1title: Users Authenticating To Other Azure AD Tenants
2id: 5f521e4b-0105-4b72-845b-2198a54487b9
3status: test
4description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
5references:
6 - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins
7author: MikeDuddington, '@dudders1'
8date: 2022/06/30
9tags:
10 - attack.initial_access
11 - attack.t1078.004
12logsource:
13 product: azure
14 service: signinlogs
15detection:
16 selection:
17 Status: 'Success'
18 HomeTenantId: 'HomeTenantID'
19 filter:
20 ResourceTenantId|contains: 'HomeTenantID'
21 condition: selection and not filter
22falsepositives:
23 - If this was approved by System Administrator.
24level: medium
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Account Disabled or Blocked for Sign in Attempts
- Azure AD Only Single Factor Authentication Required
- Azure Subscription Permission Elevation Via ActivityLogs
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Interrupted