Defense Evasion (TA0005)(external, opens in a new tab or window)
Initial Access (TA0001)(external, opens in a new tab or window)
text code block:data_stream.dataset: "azure.signinlogs" and event.outcome: "success" and azure.signinlogs.properties.user_type: "Member" and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication" and azure.signinlogs.properties.conditional_access_status: ("success" or "notApplied") and azure.signinlogs.properties.authentication_details.authentication_method: "Password" and azure.signinlogs.properties.applied_conditional_access_policies.enforced_grant_controls: "Mfa" and azure.signinlogs.properties.applied_conditional_access_policies.result: "notApplied" and ( azure.signinlogs.properties.resource_id: "00000003-0000-0000-c000-000000000000" or azure.signinlogs.properties.resource_display_name: "Microsoft Graph" ) and azure.signinlogs.properties.app_owner_tenant_id: "f8cdef31-a31e-4b4a-93e4-5f571e91255a" and azure.signinlogs.properties.user_principal_name: * and azure.signinlogs.properties.app_id: * and source.as.number: *
Install detection rules in Elastic Security
Detect Entra ID Conditional Access MFA Bypass with Unusual User, Client and Source ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).