Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies MFA method registration events where the source IP address has not appeared in the registering user's 30-day sign-in history. An attacker who obtains credentials may register a new MFA method from an attacker-controlled IP to maintain access after a password reset. Does not require Entra ID P2 licensing. References: - https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks - https://learn.microsoft.com/azure/active-directory/reports-monitoring/referenc
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 3d36b19f-cd62-4522-8869-23cdd9cc0c9f |
| Tactics | Persistence, DefenseEvasion |
| Techniques | T1556.006 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/MultipleDataSources/MFARegistrationFromUnseenIP.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊