Azure AD Login Without MFA
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when any user logs in to Azure AD without multi-factor authentication.
Strategy
This rule monitors Azure Activity logs for Active Directory logs and detects when any @evt.category has a value of SignInLogs, and @properties.authenticationRequirement has a value of singleFactorAuthentication.
Triage and response
- Reach out to the user to determine if the login was legitimate.
- If the login was legitimate, request that the user enables 2FA.
- If the login wasn’t legitimate, rotate the credentials.
- Review all user accounts to ensure MFA is enabled.
Changelog
- 15 November 2022 - Updated query to reduce false positives, updated option values.
