Ahmad Osman's avatar
Ahmad Osman
Copper Contributor
May 13, 2022
Status:
New

The importance of device ID

Hi team,


As you know, there are many noise alerts in MS risky detections, which take from us a lot of time and effort for investigations.


There is an easy way to tune that out, which is checking the device ID - which is mainly whatever the device used in this suspicious login was MS managed and registered device or not.


In case it was (already owned and managed by MS Azure), most probably this would be legitimate (because it is hard for the attacker to steal the user's laptop or mobile + password + MFA)


Otherwise, the used device was not MS registered, and thus we would continue further investigation.


As an example of this, is login with correlation ID: d1afe59f-9717-4ee4-ab10-ab609d6fd024, and the Device ID was c9aa3175-62a2-46b3-8209-3fbd9c57ffdd


Currently this important field is not directly seen in neither MS Azure portal (e.g. risky detections), or from MS Graph API, so plz add in the future.


That will help us to manually (from the GUI, only filter on logins with Device ID is null), or automatically (call the MS Graph API, and filter on this field) do our work effectively (i have a MS case: 30945856).


Thanks

Ahmad Osman

 

 

 

No CommentsBe the first to comment