Detectionmediumtest

Certificate-Based Authentication Enabled

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Harjot Shah SinghCreated Tue Mar 26c2496b41-16a9-4016-a776-b23f8910dc58cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        OperationName: 'Authentication Methods Policy Update'
        TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0006 · Credential Access TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1556 · Modify Authentication Process

Rule Metadata

Rule ID

c2496b41-16a9-4016-a776-b23f8910dc58

Status

test

Level

medium

Type

Detection

Created

Tue Mar 26

Author

Harjot Shah Singh

Path

rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml

Raw Tags

attack.defense-evasionattack.credential-accessattack.persistenceattack.privilege-escalationattack.t1556

View on GitHub