Detectionmediumtest

Authentications To Important Apps Using Single Factor Authentication

Detect when authentications to important application(s) only required single-factor authentication

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mike DuddingtonCreated Thu Jul 28f272fb46-25f2-422c-b667-45837994980fcloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        Status: 'Success'
        AppId: 'Insert Application ID use OR for multiple'
        AuthenticationRequirement: 'singleFactorAuthentication'
    condition: selection

False Positives

If this was approved by System Administrator.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

f272fb46-25f2-422c-b667-45837994980f

Status

test

Level

medium

Type

Detection

Created

Thu Jul 28

Author

Mike Duddington

Path

rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078

View on GitHub