title: Change to Authentication Method
id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
status: experimental
author: AlertIQ
date: 2021/10/10  
description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    LoggedByService: 'Authentication Methods'
    Category: 'UserManagement'
    OperationName: 'User registered security info'
  condition: selection
level: medium
falsepositives:
  - Unknown
tags:
  - attack.credential_access