Added device registration w/o MFA sigma rule

2022-06-28 11:12:12 -07:00
parent 587b5aa6a7
commit ff178408c8
1 changed files with 27 additions and 0 deletions
@@ -0,0 +1,27 @@
+title: Device Registration or Join Without MFA
+id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
+description: Monitor and alert for device registration or join events where MFA was not performed.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
+logsource:
+  product: azure
+  service: signinlogs
+detection:
+  selection:
+    ResourceDisplayName:
+      - Device Registration Service
+    conditionalAccessStatus:
+      - success
+  filter_mfa:
+    AuthenticationRequirement:
+      - 'multiFactorAuthentication'
+  condition: selection and not filter_mfa
+falsepositives:
+  - Unknown
+level: medium
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078