Rules Contributing to Suspicious Microsoft Entra Device Activity Alert
The following rules are used to identify suspicious Microsoft Entra device activity. Any one or more of these will trigger the Suspicious Microsoft Entra Device Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
Azure Device No Longer Managed or Compliant |
Identifies when a device in Azure is no longer managed or compliant More details
Rule IDQuery{'selection': {'properties_message': ['Device no longer compliant', 'Device no longer managed']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,542b9912-c01f-4e3f-89a8-014c48cdca7d Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
|
Azure Device or Configuration Deleted |
Identifies when a device or device configuration in Azure is deleted. More details
Rule IDQuery{'selection': {'properties_message': ['Delete device', 'Delete device configuration']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,46530378-f9db-4af9-a9e5-889c177d3881 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
