frack113
646351808e
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
30 lines
950 B
YAML
30 lines
950 B
YAML
title: Azure Unusual Authentication Interruption
|
|
id: 8366030e-7216-476b-9927-271d79f13cf3
|
|
status: experimental
|
|
description: Detects when there is a interruption in the authentication process.
|
|
references:
|
|
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
|
|
author: Austin Songer @austinsonger
|
|
date: 2021/11/26
|
|
modified: 2022/12/18
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1078
|
|
logsource:
|
|
product: azure
|
|
service: signinlogs
|
|
detection:
|
|
selection_50097:
|
|
ResultType: 50097
|
|
ResultDescription: 'Device authentication is required'
|
|
selection_50155:
|
|
ResultType: 50155
|
|
ResultDescription: 'DeviceAuthenticationFailed'
|
|
selection_50158:
|
|
ResultType: 50158
|
|
ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
|
|
condition: 1 of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|