Detectionmediumtest
Azure Unusual Authentication Interruption
Detects when there is a interruption in the authentication process.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azuresigninlogs
ProductAzure← raw: azure
Servicesigninlogs← raw: signinlogs
Detection Logic
Detection Logic3 selectors
detection:
selection_50097:
ResultType: 50097
ResultDescription: 'Device authentication is required'
selection_50155:
ResultType: 50155
ResultDescription: 'DeviceAuthenticationFailed'
selection_50158:
ResultType: 50158
ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'
condition: 1 of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Rule Metadata
Rule ID
8366030e-7216-476b-9927-271d79f13cf3
Status
test
Level
medium
Type
Detection
Created
Fri Nov 26
Modified
Sun Dec 18
Author
Path
rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078