Single Factor Authentication Sign In Using Password Detected
Query
// Alert on single factor authentication using password from either a non compliant device or a non trusted network location
SigninLogs
| where ingestion_time() > ago(17m)
// Query only successfull sign-ins
| where ResultType == 0
// Ignore login to Windows
| where AppDisplayName != "Windows Sign In"
// Limit to password only authentication
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| where authenticationMethod == "Password"
// Limit to non MFA sign-ins
| extend authenticationStepRequirement = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
| where AuthenticationRequirement != "multiFactorAuthentication"
// Remove all signins coming from either a trusted network location or a compliant device
| where NetworkLocationDetails == "[]" and DeviceDetail.isCompliant != true
// Add UserName and UserUPNSuffix for strong entity match
| extend UserName = split(UserPrincipalName,'@',0)[0], UserUPNSuffix = split(UserPrincipalName,'@',1)[0]
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)
| project-reorder TimeGenerated, UserPrincipalName, authenticationStepRequirement, AuthenticationRequirement, authenticationMethod, AuthenticationProtocolExplanation
This query detects when a user signs in to Entra ID without providing a second factor using a password. It looks for successful sign-ins that are not to Windows, limit to password-only authentication, and exclude sign-ins from trusted network locations or compliant devices. It also includes additional information such as the user's username and the device details. The query runs every 15 minutes for a period of 20 minutes. If an incident is created, it will group the incidents based on the user account and provide entity mappings for account, host, and IP. The suppression duration is set to 5 hours.
