Adversaries may use non-managed devices to bypass security controls and gain unauthorized access to sensitive systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics early.
KQL Query
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where IsManaged != 1
| where IsCompliant != 1
//Filtering only for medium and high risk sign-in
| where RiskLevelDuringSignIn in (50, 100)
| where ClientAppUsed == "Browser"
| where isempty(DeviceTrustType)
| where isnotempty(State) or isnotempty(Country) or isnotempty(City)
| where isnotempty(IPAddress)
| where isnotempty(AccountObjectId)
| where isempty(DeviceName)
| where isempty(AadDeviceId)
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
id: 8d298b5c-feca-4add-bd42-e43e0a317a88
name: Risky sign-in attempt from a non-managed device
description: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
description-detailed: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where IsManaged != 1
| where IsCompliant != 1
//Filtering only for medium and high risk sign-in
| where RiskLevelDuringSignIn in (50, 100)
| where ClientAppUsed == "Browser"
| where isempty(DeviceTrustType)
| where isnotempty(State) or isnotempty(Country) or isnotempty(City)
| where isnotempty(IPAddress)
| where isnotempty(AccountObjectId)
| where isempty(DeviceName)
| where isempty(AadDeviceId)
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
version: 1.0.0 Scenario: A system administrator uses a personal laptop to remotely manage a server via SSH or PowerShell Remoting.
Filter/Exclusion: Exclude sign-ins from devices associated with admin accounts or those used for remote management (e.g., user_agent contains “SSH” or “PowerShell”, or IP address matches known admin IPs).
Scenario: A scheduled job runs on a non-managed device to perform routine maintenance or data backup.
Filter/Exclusion: Exclude sign-ins from known automated jobs (e.g., device_name contains “backup” or “scheduler”, or event_id matches job execution logs).
Scenario: A user accesses their corporate account from a personal device during a BYOD (Bring Your Own Device) scenario.
Filter/Exclusion: Exclude sign-ins from devices that are whitelisted or have been previously registered as personal devices (e.g., device_id in a known BYOD device list).
Scenario: A third-party service or tool (e.g., Jenkins, Ansible, or Terraform) authenticates to the corporate environment using a non-managed device.
Filter/Exclusion: Exclude sign-ins from known third-party tools (e.g., client_app matches “Jenkins” or “Ansible”, or request_url contains “jenkins” or “terraform”).
Scenario: A user accesses their account from a public or shared device (e.g., a library computer or hotel Wi-Fi) using multi-factor authentication.
Filter/Exclusion: Exclude sign-ins from public IP ranges or devices that have been flagged as shared (e.g., ip_address in a known public IP list, or device_type is “public”).