Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Device Registration or Join Without MFA

Monitor and alert for device registration or join events where MFA was not performed.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Michael EppingCreated Tue Jun 285afa454e-030c-4ab4-9253-a90aa7fcc581cloud
Log Source
Azuresigninlogs
ProductAzure← raw: azure
Servicesigninlogs← raw: signinlogs
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ResourceDisplayName: 'Device Registration Service'
        conditionalAccessStatus: 'success'
    filter_mfa:
        AuthenticationRequirement: 'multiFactorAuthentication'
    condition: selection and not filter_mfa
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
5afa454e-030c-4ab4-9253-a90aa7fcc581
Status
test
Level
medium
Type
Detection
Created
Tue Jun 28
Author
Michael Epping
Path
rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078.004
View on GitHub