Entra ID OAuth Device Code Flow with Concurrent Sign-ins

  1[metadata]
  2creation_date = "2025/12/02"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies Entra ID device code authentication flows where multiple user agents are observed within the same session.
 11This pattern is indicative of device code phishing, where an attacker's polling client (e.g., Python script) and the
 12victim's browser both appear in the same authentication session. In legitimate device code flows, the user authenticates
 13via browser while the requesting application polls for tokens - when these have distinctly different user agents
 14(e.g., Python Requests vs Chrome), it may indicate the code was phished and redeemed by an attacker.
 15"""
 16false_positives = [
 17    """
 18    Legitimate use of device code flow where a user authenticates via browser for a CLI tool or headless application.
 19    Common legitimate scenarios include Azure CLI, Azure PowerShell, or VS Code remote development. Review the user
 20    agent combinations - browser + known CLI tool from the same user may be expected behavior.
 21    """,
 22]
 23from = "now-9m"
 24language = "esql"
 25license = "Elastic License v2"
 26name = "Entra ID OAuth Device Code Flow with Concurrent Sign-ins"
 27note = """## Triage and analysis
 28
 29### Investigating Entra ID OAuth Device Code Flow with Concurrent Sign-ins
 30
 31### Possible investigation steps
 32
 33- Review the sign-in logs to assess the context and reputation of the source.ip address.
 34- Investigate the user account associated with the successful sign-in to determine if the activity aligns with expected behavior or if it appears suspicious.
 35- Check for any recent changes or anomalies in the user's account settings or permissions that could indicate compromise.
 36- Review the history of sign-ins for the user to identify any patterns or unusual access times that could suggest unauthorized access.
 37- Assess the device from which the sign-in was attempted to ensure it is a recognized and authorized device for the user.
 38
 39### Response and remediation
 40
 41- Immediately revoke the compromised Primary Refresh Tokens (PRTs) to prevent further unauthorized access. This can be done through the Azure portal by navigating to the user's account and invalidating all active sessions.
 42- Enforce a password reset for the affected user accounts to ensure that any credentials potentially compromised during the attack are no longer valid.
 43- Implement additional Conditional Access policies that require device compliance checks and restrict access to trusted locations or devices only, to mitigate the risk of future PRT abuse.
 44- Conduct a thorough review of the affected accounts' recent activity logs to identify any unauthorized actions or data access that may have occurred during the compromise.
 45- Escalate the incident to the security operations team for further investigation and to determine if there are any broader implications or additional compromised accounts.
 46- Enhance monitoring by configuring alerts for unusual sign-in patterns or device code authentication attempts from unexpected locations or devices, to improve early detection of similar threats.
 47- Coordinate with the incident response team to perform a post-incident analysis and update the incident response plan with lessons learned from this event."""
 48references = [
 49    "https://learn.microsoft.com/en-us/entra/identity/",
 50    "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins",
 51    "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
 52    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 53    "https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies"
 54]
 55risk_score = 73
 56rule_id = "3db029b3-fbb7-4697-ad07-33cbfd5bd080"
 57setup = """#### Required Azure Entra Sign-In Logs
 58This rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration.
 59"""
 60severity = "high"
 61tags = [
 62    "Domain: Cloud",
 63    "Domain: Identity",
 64    "Data Source: Azure",
 65    "Data Source: Entra ID",
 66    "Data Source: Entra ID Sign-in",
 67    "Use Case: Identity and Access Audit",
 68    "Use Case: Threat Detection",
 69    "Tactic: Credential Access",
 70    "Resources: Investigation Guide",
 71]
 72timestamp_override = "event.ingested"
 73type = "esql"
 74
 75query = '''
 76from logs-azure.signinlogs-* metadata _id, _version, _index
 77
 78| where event.category == "authentication" and event.dataset == "azure.signinlogs" and
 79        azure.signinlogs.properties.original_transfer_method == "deviceCodeFlow"
 80
 81// Track events with deviceCode authentication protocol (browser auth) vs polling client
 82| eval is_device_code_auth = case(azure.signinlogs.properties.authentication_protocol == "deviceCode", 1, 0)
 83
 84| stats Esql.count_logon = count(*),
 85        Esql.device_code_auth_count = sum(is_device_code_auth),
 86        Esql.timestamp_values = values(@timestamp),
 87        Esql.source_ip_count_distinct = count_distinct(source.ip),
 88        Esql.user_agent_count_distinct = count_distinct(user_agent.original),
 89        Esql.user_agent_values = values(user_agent.original),
 90        Esql.authentication_protocol_values = values(azure.signinlogs.properties.authentication_protocol),
 91        Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_display_name),
 92        Esql.azure_signinlogs_properties_app_id_values = values(azure.signinlogs.properties.app_id),
 93        Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
 94        Esql.azure_signinlogs_properties_auth_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
 95        Esql.azure_signinlogs_properties_tenant_id = values(azure.tenant_id),
 96        Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
 97        Esql.message_values = values(message),
 98        Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
 99        Esql.source_ip_values = values(source.ip)
100        by azure.signinlogs.properties.session_id, azure.signinlogs.identity
101
102// Require: 2+ events, at least one deviceCode auth protocol event, and either 2+ IPs or 2+ user agents
103| where Esql.count_logon >= 2 and Esql.device_code_auth_count >= 1 and (Esql.source_ip_count_distinct >= 2 or Esql.user_agent_count_distinct >= 2)
104| keep
105       Esql.*,
106       azure.signinlogs.properties.session_id,
107       azure.signinlogs.identity
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1528"
115name = "Steal Application Access Token"
116reference = "https://attack.mitre.org/techniques/T1528/"
117
118
119[rule.threat.tactic]
120id = "TA0006"
121name = "Credential Access"
122reference = "https://attack.mitre.org/tactics/TA0006/"
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125[[rule.threat.technique]]
126id = "T1566"
127name = "Phishing"
128reference = "https://attack.mitre.org/techniques/T1566/"
129[[rule.threat.technique.subtechnique]]
130id = "T1566.002"
131name = "Spearphishing Link"
132reference = "https://attack.mitre.org/techniques/T1566/002/"
133
134
135[rule.threat.tactic]
136id = "TA0001"
137name = "Initial Access"
138reference = "https://attack.mitre.org/tactics/TA0001/"