Unusual Authentication by Microsoft 365 Azure AD Service Principal

Docs > Plateforme de sécurité Datadog > OOTB Rules > Unusual Authentication by Microsoft 365 Azure AD Service Principal

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.

Strategy

Using the New Value detection method, find when a Microsoft 365 Azure AD service principal uses a new @AuthenticationMethod.

Triage and response

Determine if the service principal {{@usr.id}} should be authenticating using the {{@AuthenticationMethod}} authentication method and {{@ExtendedProperties.RequestType}} request type.
If {{@usr.email}} should not be authenticating using {{@AuthenticationMethod}},
- Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard
- If necessary, initiate your company’s incident response (IR) process.