First Occurrence of Entra ID Auth via DeviceCode Protocol

  1[metadata]
  2creation_date = "2024/10/14"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/02/21"
  6
  7[rule]
  8author = ["Elastic", "Matteo Potito Giorgio"]
  9description = """
 10Identifies when a user is observed for the first time in the last 14 days authenticating using the device code
 11authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens
 12to impersonate the victim. By its very nature, device code should only be used when logging in to devices without
 13keyboards, where it is difficult to enter emails and passwords.
 14"""
 15from = "now-9m"
 16index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
 20note = """## Triage and analysis
 21
 22### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
 23
 24This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access.
 25
 26### Possible Investigation Steps
 27
 28#### Identify the User and Authentication Details
 29- **User Principal Name (UPN)**: Review `azure.signinlogs.properties.user_principal_name` to identify the user involved in the authentication event.
 30- **User ID**: Check `azure.signinlogs.properties.user_id` for a unique identifier of the affected account.
 31- **Authentication Protocol**: Confirm that `azure.signinlogs.properties.authentication_protocol` is set to `deviceCode`.
 32- **Application Used**: Verify the application through `azure.signinlogs.properties.app_display_name` and `azure.signinlogs.properties.app_id` to determine if it is an expected application.
 33
 34#### Review the Source IP and Geolocation
 35- **Source IP Address**: Check `source.ip` and compare it with previous authentication logs to determine whether the login originated from a trusted or expected location.
 36- **Geolocation Details**: Analyze `source.geo.city_name`, `source.geo.region_name`, and `source.geo.country_name` to confirm whether the login location is suspicious.
 37- **ASN / ISP Details**: Review `source.as.organization.name` to check if the IP is associated with a known organization or cloud provider.
 38
 39#### Examine Multi-Factor Authentication (MFA) and Conditional Access
 40- **MFA Enforcement**: Review `azure.signinlogs.properties.applied_conditional_access_policies` to determine if MFA was enforced during the authentication.
 41- **Conditional Access Policies**: Check `azure.signinlogs.properties.conditional_access_status` to understand if conditional access policies were applied and if any controls were bypassed.
 42- **Authentication Method**: Look at `azure.signinlogs.properties.authentication_details` to confirm how authentication was satisfied (e.g., MFA via claim in token).
 43
 44#### Validate Device and Client Details
 45- **Device Information**: Review `azure.signinlogs.properties.device_detail.browser` to determine if the login aligns with the expected behavior of a device that lacks a keyboard.
 46- **User-Agent Analysis**: Inspect `user_agent.original` for anomalies, such as an unexpected operating system or browser.
 47- **Client Application**: Verify `azure.signinlogs.properties.client_app_used` to confirm whether the login was performed using a known client.
 48
 49#### Investigate Related Activities
 50- **Correlate with Phishing Attempts**: Check if the user recently reported phishing attempts or suspicious emails.
 51- **Monitor for Anomalous Account Activity**: Look for recent changes in the user's account settings, including password resets, role changes, or delegation of access.
 52- **Check for Additional DeviceCode Logins**: Review if other users in the environment have triggered similar authentication events within the same timeframe.
 53
 54## False Positive Analysis
 55
 56- **Legitimate Device Enrollment**: If the user is setting up a new device (e.g., a smart TV or kiosk), this authentication may be expected.
 57- **Automation or Scripting**: Some legitimate applications or scripts may leverage the `DeviceCode` authentication protocol for non-interactive logins.
 58- **Shared Devices in Organizations**: In cases where shared workstations or conference room devices are in use, legitimate users may trigger alerts.
 59- **Travel and Remote Work**: If the user is traveling or accessing from a new location, confirm legitimacy before taking action.
 60
 61## Response and Remediation
 62
 63- **Revoke Suspicious Access Tokens**: Immediately revoke any access tokens associated with this authentication event.
 64- **Investigate the User’s Recent Activity**: Review additional authentication logs, application access, and recent permission changes for signs of compromise.
 65- **Reset Credentials and Enforce Stronger Authentication**:
 66  - Reset the affected user’s credentials.
 67  - Enforce stricter MFA policies for sensitive accounts.
 68  - Restrict `DeviceCode` authentication to only required applications.
 69- **Monitor for Further Anomalies**:
 70  - Enable additional logging and anomaly detection for DeviceCode logins.
 71  - Set up alerts for unauthorized access attempts using this authentication method.
 72- **Educate Users on Phishing Risks**: If phishing is suspected, notify the affected user and provide security awareness training on how to recognize and report phishing attempts.
 73- **Review and Adjust Conditional Access Policies**:
 74  - Limit `DeviceCode` authentication to approved users and applications.
 75  - Implement stricter geolocation-based authentication restrictions.
 76"""
 77references = [
 78    "https://aadinternals.com/post/phishing/",
 79    "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/",
 80    "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",
 81    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows",
 82]
 83risk_score = 47
 84rule_id = "af22d970-7106-45b4-b5e3-460d15333727"
 85setup = "This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.\n"
 86severity = "medium"
 87tags = [
 88    "Domain: Cloud",
 89    "Data Source: Azure",
 90    "Data Source: Microsoft Entra ID",
 91    "Use Case: Identity and Access Audit",
 92    "Tactic: Credential Access",
 93    "Resources: Investigation Guide",
 94]
 95timestamp_override = "event.ingested"
 96type = "new_terms"
 97
 98query = '''
 99event.dataset:(azure.activitylogs or azure.signinlogs)
100    and (
101            azure.signinlogs.properties.authentication_protocol:deviceCode or
102            azure.signinlogs.properties.original_transfer_method: "Device code flow" or
103            azure.activitylogs.properties.authentication_protocol:deviceCode
104        )
105    and event.outcome:success
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1528"
113name = "Steal Application Access Token"
114reference = "https://attack.mitre.org/techniques/T1528/"
115
116
117[rule.threat.tactic]
118id = "TA0006"
119name = "Credential Access"
120reference = "https://attack.mitre.org/tactics/TA0006/"
121
122[rule.new_terms]
123field = "new_terms_fields"
124value = ["azure.signinlogs.properties.user_principal_name"]
125[[rule.new_terms.history_window_start]]
126field = "history_window_start"
127value = "now-14d"