Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource

  1[metadata]
  2creation_date = "2026/05/15"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/05/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful Microsoft Entra ID sign-ins where the client application is the Microsoft Authentication Broker
 11(MAB) and the requested resource identifier is outside a short list of commonly observed first-party targets. Attackers
 12abuse the broker in phishing and token broker flows to obtain tokens for unexpected APIs or enterprise applications.
 13The exclusion list covers legacy Azure Active Directory, Microsoft Graph, Device Registration Service, Microsoft Intune
 14Enrollment, extend or tune exclusions for your tenant after baselining broker traffic.
 15"""
 16false_positives = [
 17    """
 18    Legitimate broker sign-ins to first-party Microsoft resources that use alternate well-known IDs, regional variants,
 19    or new Microsoft services not yet in the exclusion list may match. Third-party applications that integrate with MAB
 20    for delegated authentication can also appear. Baseline `resource_id` and `resource_display_name` for your
 21    environment and add exclusions for approved resources.
 22    """,
 23]
 24from = "now-9m"
 25index = ["logs-azure.signinlogs-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource"
 29note = """## Triage and analysis
 30
 31### Investigating Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource
 32
 33Review `azure.signinlogs.properties.user_principal_name`, `azure.signinlogs.properties.resource_id`,
 34`azure.signinlogs.properties.resource_display_name`, `azure.signinlogs.properties.session_id`, `source.ip`, and
 35`user_agent.original`.
 36
 37Determine whether the resource is a known line-of-business application, partner integration, or Microsoft service not
 38represented in the rule exclusion list.
 39
 40### Possible investigation steps
 41
 42- Resolve `resource_id` in Entra ID enterprise applications and compare with change records or app governance inventory.
 43- Correlate with `azure.signinlogs` and `azure.graphactivitylogs` for follow-on API calls from the same session.
 44- Review conditional access results and risk detections for the same user and time window.
 45
 46### Response and remediation
 47
 48- If unauthorized, revoke refresh tokens for the user, review consent and app permissions, and reset credentials per policy.
 49- Escalate per incident procedures when the resource corresponds to sensitive APIs or high-privilege applications.
 50"""
 51references = [
 52    "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in",
 53    "https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs",
 54    "https://any.run/malware-trends/tycoon/",
 55]
 56risk_score = 47
 57rule_id = "4f95e0f8-18b7-459a-b8b5-b2f5c94bf6eb"
 58severity = "medium"
 59setup = """
 60Microsoft Entra ID sign-in logs (`logs-azure.signinlogs-*`) must include `azure.signinlogs.properties.app_id` and
 61`azure.signinlogs.properties.resource_id`. Tune the exclusion list for first-party resource identifiers your tenant
 62expects from the Microsoft Authentication Broker.
 63"""
 64tags = [
 65    "Domain: Cloud",
 66    "Domain: Identity",
 67    "Data Source: Azure",
 68    "Data Source: Microsoft Entra ID",
 69    "Data Source: Microsoft Entra ID Sign-in Logs",
 70    "Use Case: Threat Detection",
 71    "Tactic: Initial Access",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "query"
 76query = '''
 77data_stream.dataset:"azure.signinlogs" and event.category:"authentication" and event.action:"Sign-in activity" and
 78event.outcome:success and azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
 79azure.signinlogs.properties.resource_id:(* and not 
 80    ("00000002-0000-0000-c000-000000000000" or
 81    "90a2e5d2-fd7a-4a2e-bc90-3dc50ae8e3ee" or
 82    "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" or
 83    "d4ebce55-015a-49b5-a083-c84d1797ae8c" or
 84    "00000003-0000-0000-c000-000000000000" or 
 85    "0a5f63c0-b750-4f38-a71c-4fc0d58b89e2")
 86)
 87'''
 88
 89[rule.investigation_fields]
 90field_names = [
 91    "@timestamp",
 92    "user.name",
 93    "user_agent.original",
 94    "source.ip",
 95    "source.geo.country_name",
 96    "event.outcome",
 97    "azure.signinlogs.properties.user_principal_name",
 98    "azure.signinlogs.properties.session_id",
 99    "azure.signinlogs.properties.app_id",
100    "azure.signinlogs.properties.app_display_name",
101    "azure.signinlogs.properties.resource_id",
102    "azure.signinlogs.properties.resource_display_name",
103    "azure.signinlogs.properties.authentication_protocol",
104    "azure.tenant_id",
105]
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109
110[[rule.threat.technique]]
111id = "T1078"
112name = "Valid Accounts"
113reference = "https://attack.mitre.org/techniques/T1078/"
114
115[[rule.threat.technique.subtechnique]]
116id = "T1078.004"
117name = "Cloud Accounts"
118reference = "https://attack.mitre.org/techniques/T1078/004/"
119
120[rule.threat.tactic]
121id = "TA0001"
122name = "Initial Access"
123reference = "https://attack.mitre.org/tactics/TA0001/"
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127
128[[rule.threat.technique]]
129id = "T1550"
130name = "Use Alternate Authentication Material"
131reference = "https://attack.mitre.org/techniques/T1550/"
132
133[[rule.threat.technique.subtechnique]]
134id = "T1550.001"
135name = "Application Access Token"
136reference = "https://attack.mitre.org/techniques/T1550/001/"
137
138[rule.threat.tactic]
139id = "TA0005"
140name = "Defense Evasion"
141reference = "https://attack.mitre.org/tactics/TA0005/"