security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixing double header in investigation notes (#4490)

Browse Source
This commit is contained in:
Terrance DeJesus
2025-03-25 09:08:13 -04:00
committed by GitHub
parent 3bbe24d154
commit 5e12f05a36
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/10/14"
integration = ["azure"]
maturity = "production"
updated_date = "2025/02/18"
updated_date = "2025/02/21"
[rule]
author = ["Elastic", "Matteo Potito Giorgio"]
@@ -19,8 +19,6 @@ license = "Elastic License v2"
name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
note = """## Triage and analysis
## Triage and Analysis
### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access.