Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious SignIns From A Non Registered Device

Detects risky authentication from a non AD registered device without MFA being required.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Harjot SinghCreated Tue Jan 10Updated Wed Jul 02572b12d4-9062-11ed-a1eb-0242ac120002cloud
Log Source
Azuresigninlogs
ProductAzure← raw: azure
Servicesigninlogs← raw: signinlogs
Detection Logic
Detection Logic3 selectors
detection:
    selection_main:
        Status: 'Success'
        AuthenticationRequirement: 'singleFactorAuthentication'
        RiskState: 'atRisk'
    selection_empty1:
        DeviceDetail.trusttype: ''
    selection_empty2:
        DeviceDetail.trusttype: null
    condition: selection_main and 1 of selection_empty*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
572b12d4-9062-11ed-a1eb-0242ac120002
Status
test
Level
high
Type
Detection
Created
Tue Jan 10
Modified
Wed Jul 02
Author
Harjot Singh
Path
rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078
View on GitHub