Suspicious Sign In Followed by MFA Modification — Solutions Analyzer

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Entra ID
ID	`aec77100-25c5-4254-a20a-8027ed92c46c`
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	InitialAccess, DefenseEvasion
Techniques	T1078.004, T1556.006
Required Connectors	AzureActiveDirectory, BehaviorAnalytics
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
`AuditLogs`	✓	✗	?
`BehaviorAnalytics`	✓	✗	?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Entra ID