Detectionlowtest

Azure AD Only Single Factor Authentication Required

Detect when users are authenticating without MFA being required.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mike DuddingtonCreated Wed Jul 2728eea407-28d7-4e42-b0be-575d5ba60b2ccloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        Status: 'Success'
        AuthenticationRequirement: 'singleFactorAuthentication'
    condition: selection

False Positives

If this was approved by System Administrator.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

28eea407-28d7-4e42-b0be-575d5ba60b2c

Status

test

Level

low

Type

Detection

Created

Wed Jul 27

Author

Path

rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.credential-accessattack.t1078.004attack.t1556.006