Sign-in from unseen IP within 60 minutes of MFA disabled for account

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Identifies successful sign-ins from IP addresses not seen in the prior 30 days occurring within 60 minutes of MFA being disabled for the same account, consistent with post-compromise credential use after weakening authentication.

Attribute	Value
Type	Hunting Query
Solution	Standalone Content
ID	`3140d3e9-f87c-48aa-8d81-1b78b6c5d7bf`
Tactics	CredentialAccess, Persistence
Techniques	T1556.006, T1078.004
Required Connectors	AzureActiveDirectory
Source	[View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/MultipleDataSources/MFADisabledThenSignInFromUnseenIP.yaml)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries