Detectionhightest

Sign-ins from Non-Compliant Devices

Monitor and alert for sign-ins where the device was non-compliant.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Michael EppingCreated Tue Jun 284f77e1d7-3982-4ee0-8489-abf2d6b75284cloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        DeviceDetail.isCompliant: 'false'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

4f77e1d7-3982-4ee0-8489-abf2d6b75284

Status

test

Level

high

Type

Detection

Created

Tue Jun 28

Author

Path

rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078.004