
Summary
This detection rule identifies successful logins to the Microsoft Intune Company Portal that may be circumventing Conditional Access (CA) policies as well as Intune device trust mechanisms. Conditional Access policies are security frameworks that enforce specific conditions under which users can access applications and services. However, malware like TokenSmith can exploit these policies, allowing unauthorized access using valid credentials without meeting compliance requirements. This rule aims to alert security teams to these instances by monitoring the `UserLoggedIn` operation within the Microsoft 365 audit logs, specifically targeting logins that appear to originate under conditions that would typically bypass these protections. When the operation is logged along with a successful status and a specific Application ID related to Intune's cloud service, this indicates a potential security breach, hence the need for immediate investigation.
Categories
- Cloud
- Identity Management
- Windows
Data Sources
- User Account
- Logon Session
- Application Log
Created: 2025-01-08