From ff178408c8e51ea209b0d4cb43aef2a1d6d4f672 Mon Sep 17 00:00:00 2001
From: Michael Epping <19227815+mepples21@users.noreply.github.com>
Date: Tue, 28 Jun 2022 11:12:12 -0700
Subject: [PATCH] Added device registration w/o MFA sigma rule

---
 ...evice_registration_or_join_without_mfa.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml

diff --git a/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml
new file mode 100644
index 000000000..b36baa9fd
--- /dev/null
+++ b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml
@@ -0,0 +1,27 @@
+title: Device Registration or Join Without MFA
+id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
+description: Monitor and alert for device registration or join events where MFA was not performed.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
+logsource:
+  product: azure
+  service: signinlogs
+detection:
+  selection:
+    ResourceDisplayName:
+      - Device Registration Service
+    conditionalAccessStatus:
+      - success
+  filter_mfa:
+    AuthenticationRequirement:
+      - 'multiFactorAuthentication'
+  condition: selection and not filter_mfa
+falsepositives:
+  - Unknown
+level: medium
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078