Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties

  1[metadata]
  2creation_date = "2025/04/28"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/07/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies concurrent azure signin events for the same user and from multiple sources, and where one of the
 11authentication event has some suspicious properties often associated to DeviceCode and OAuth phishing. Adversaries may
 12steal Refresh Tokens (RTs) via phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to
 13Azure resources.
 14"""
 15false_positives = [
 16    """
 17    Users authenticating from multiple devices and using the deviceCode protocol or the Visual Studio Code client.
 18    """,
 19]
 20from = "now-60m"
 21language = "esql"
 22license = "Elastic License v2"
 23name = "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties"
 24note = """## Triage and analysis
 25
 26### Investigating Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties
 27
 28### Possible investigation steps
 29
 30- Review the sign-in logs to assess the context and reputation of the source.ip address.
 31- Investigate the user account associated with the successful sign-in to determine if the activity aligns with expected behavior or if it appears suspicious.
 32- Check for any recent changes or anomalies in the user's account settings or permissions that could indicate compromise.
 33- Review the history of sign-ins for the user to identify any patterns or unusual access times that could suggest unauthorized access.
 34- Assess the device from which the sign-in was attempted to ensure it is a recognized and authorized device for the user.
 35
 36### Response and remediation
 37
 38- Immediately revoke the compromised Primary Refresh Tokens (PRTs) to prevent further unauthorized access. This can be done through the Azure portal by navigating to the user's account and invalidating all active sessions.
 39- Enforce a password reset for the affected user accounts to ensure that any credentials potentially compromised during the attack are no longer valid.
 40- Implement additional Conditional Access policies that require device compliance checks and restrict access to trusted locations or devices only, to mitigate the risk of future PRT abuse.
 41- Conduct a thorough review of the affected accounts' recent activity logs to identify any unauthorized actions or data access that may have occurred during the compromise.
 42- Escalate the incident to the security operations team for further investigation and to determine if there are any broader implications or additional compromised accounts.
 43- Enhance monitoring by configuring alerts for unusual sign-in patterns or device code authentication attempts from unexpected locations or devices, to improve early detection of similar threats.
 44- Coordinate with the incident response team to perform a post-incident analysis and update the incident response plan with lessons learned from this event."""
 45references = [
 46    "https://learn.microsoft.com/en-us/entra/identity/",
 47    "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins",
 48    "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
 49    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 50]
 51risk_score = 73
 52rule_id = "e3bd85e9-7aff-46eb-b60e-20dfc9020d98"
 53setup = """#### Required Azure Entra Sign-In Logs
 54This rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration.
 55"""
 56severity = "high"
 57tags = [
 58    "Domain: Cloud",
 59    "Domain: SaaS",
 60    "Data Source: Azure",
 61    "Data Source: Entra ID",
 62    "Data Source: Entra ID Sign-in",
 63    "Use Case: Identity and Access Audit",
 64    "Use Case: Threat Detection",
 65    "Tactic: Credential Access",
 66    "Resources: Investigation Guide",
 67]
 68timestamp_override = "event.ingested"
 69type = "esql"
 70
 71query = '''
 72from logs-azure.signinlogs* metadata _id, _version, _index
 73
 74// Scheduled to run every hour, reviewing events from past hour
 75| where
 76  @timestamp > now() - 1 hours
 77  and event.dataset == "azure.signinlogs"
 78  and source.ip is not null
 79  and azure.signinlogs.identity is not null
 80  and to_lower(event.outcome) == "success"
 81
 82// keep relevant raw fields
 83| keep
 84  @timestamp,
 85  azure.signinlogs.identity,
 86  source.ip,
 87  azure.signinlogs.properties.authentication_requirement,
 88  azure.signinlogs.properties.app_id,
 89  azure.signinlogs.properties.resource_display_name,
 90  azure.signinlogs.properties.authentication_protocol,
 91  azure.signinlogs.properties.app_display_name
 92
 93// case classifications for identity usage
 94| eval
 95      Esql.azure_signinlogs_properties_authentication_device_code_case = case(
 96      azure.signinlogs.properties.authentication_protocol == "deviceCode"
 97      and azure.signinlogs.properties.authentication_requirement != "multiFactorAuthentication",
 98      azure.signinlogs.identity,
 99      null),
100
101    Esql.azure_signinlogs_auth_visual_studio_case = case(
102      azure.signinlogs.properties.app_id == "aebc6443-996d-45c2-90f0-388ff96faa56"
103      and azure.signinlogs.properties.resource_display_name == "Microsoft Graph",
104      azure.signinlogs.identity,
105      null),
106
107    Esql.azure_signinlogs_auth_other_case = case(
108      azure.signinlogs.properties.authentication_protocol != "deviceCode"
109      and azure.signinlogs.properties.app_id != "aebc6443-996d-45c2-90f0-388ff96faa56",
110      azure.signinlogs.identity,
111      null)
112
113// Aggregate metrics by user identity
114| stats
115    Esql.event_count = count(*),
116    Esql.azure_signinlogs_properties_authentication_device_code_case_count_distinct = count_distinct(Esql.azure_signinlogs_properties_authentication_device_code_case),
117    Esql.azure_signinlogs_properties_auth_visual_studio_count_distinct = count_distinct(Esql.azure_signinlogs_auth_visual_studio_case),
118    Esql.azure_signinlogs_properties_auth_other_count_distinct = count_distinct(Esql.azure_signinlogs_auth_other_case),
119    Esql.azure_signinlogs_properties_source_ip_count_distinct = count_distinct(source.ip),
120    Esql.azure_signinlogs_properties_source_ip_values = values(source.ip),
121    Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_display_name),
122    Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
123    Esql.azure_signinlogs_properties_auth_requirement_values = values(azure.signinlogs.properties.authentication_requirement)
124  by azure.signinlogs.identity
125
126// Detect multiple unique IPs for one user with signs of deviceCode or VSC OAuth usage
127| where
128  Esql.azure_signinlogs_properties_source_ip_count_distinct >= 2
129  and (
130    Esql.azure_signinlogs_properties_authentication_device_code_case_count_distinct > 0
131    or Esql.azure_signinlogs_properties_auth_visual_studio_count_distinct > 0
132  )
133'''
134
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138[[rule.threat.technique]]
139id = "T1528"
140name = "Steal Application Access Token"
141reference = "https://attack.mitre.org/techniques/T1528/"
142
143
144[rule.threat.tactic]
145id = "TA0006"
146name = "Credential Access"
147reference = "https://attack.mitre.org/tactics/TA0006/"