Query Details

Single Factor Authentication Sign In Using Password Detected

Query

// Alert on single factor authentication using password from either a non compliant device or a non trusted network location
SigninLogs
| where ingestion_time() > ago(17m)
// Query only successfull sign-ins
| where ResultType == 0
// Ignore login to Windows
| where AppDisplayName != "Windows Sign In"
// Limit to password only authentication
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| where authenticationMethod == "Password"
// Limit to non MFA sign-ins
| extend authenticationStepRequirement = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
| where AuthenticationRequirement != "multiFactorAuthentication"
// Remove all signins coming from either a trusted network location or a compliant device
| where NetworkLocationDetails == "[]" and DeviceDetail.isCompliant != true
// Add UserName and UserUPNSuffix for strong entity match
| extend UserName = split(UserPrincipalName,'@',0)[0], UserUPNSuffix = split(UserPrincipalName,'@',1)[0]
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)
| project-reorder TimeGenerated, UserPrincipalName, authenticationStepRequirement, AuthenticationRequirement, authenticationMethod, AuthenticationProtocol

Explanation

This query detects when a user signs in to Entra ID without providing a second factor using a password. It looks for successful sign-ins that are not to Windows, limit to password-only authentication, and exclude sign-ins from trusted network locations or compliant devices. It also includes additional information such as the user's username and the device details. The query runs every 15 minutes for a period of 20 minutes. If an incident is created, it will group the incidents based on the user account and provide entity mappings for account, host, and IP. The suppression duration is set to 5 hours.

Details

Fabian Bader profile picture

Fabian Bader

Released: October 7, 2023

Tables

SigninLogs

Keywords

DevicesIntuneUser

Operators

where|>ago==!=extendsplitproject-reorder

Severity

Medium

Tactics

InitialAccess

MITRE Techniques

Frequency: 15m

Period: 20m

Actions

GitHub