Authentication method added to an Azure account

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Informational

Description

An identity attempted to add an Azure authentication method.

Attacker's Goals

An attacker can add an authentication method to an account, so they can have later access to the tenant and resources.

Investigative actions

Check if the authentication method is legitimate in the organization.
Check whether the identity is permitted to perform such actions.
Follow the account for possible suspicious or unusual logins.

Variations

Suspicious authentication method addition to Azure account

Synopsis

ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Low

Description

An identity added an Azure authentication method.

Attacker's Goals

An attacker can add an authentication method to an account, so they can have later access to the tenant and resources.

Investigative actions

Check if the authentication method is legitimate in the organization.
Check whether the identity is permitted to perform such actions.
Follow the account for possible suspicious or unusual logins.