Entra ID User Sign-in with Unusual Client

calendar Dec 19, 2025 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Initial Access Resources: Investigation Guide  ·
Share on: linkedin copy

Detects rare non-interactive sign-ins where an Entra ID client application authenticates on behalf of a principal user using an application (client) ID that is not commonly associated with that user’s historical sign-in behavior. Adversaries with stolen credentials or OAuth tokens may abuse Entra ID–managed or first-party client IDs to perform on-behalf-of (OBO) authentication, blending into legitimate cloud traffic while avoiding traditional interactive sign-in flows. This technique is commonly observed in OAuth phishing, token theft, and access broker operations, and may precede lateral movement, persistence, or data access via Microsoft Graph or other cloud resources. The rule uses a New Terms approach to identify first-seen combinations of the UPN and Client ID within a defined history window, helping surface unexpected client usage that may indicate compromised identities, malicious automation, or unauthorized application impersonation.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/03/10"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/12/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects rare non-interactive sign-ins where an Entra ID client application authenticates on behalf of a principal user
 11using an application (client) ID that is not commonly associated with that user’s historical sign-in behavior.
 12Adversaries with stolen credentials or OAuth tokens may abuse Entra ID–managed or first-party client IDs to perform
 13on-behalf-of (OBO) authentication, blending into legitimate cloud traffic while avoiding traditional interactive sign-in
 14flows. This technique is commonly observed in OAuth phishing, token theft, and access broker operations, and may precede
 15lateral movement, persistence, or data access via Microsoft Graph or other cloud resources. The rule uses a New Terms
 16approach to identify first-seen combinations of the UPN and Client ID within a defined history window, helping surface
 17unexpected client usage that may indicate compromised identities, malicious automation, or unauthorized application
 18impersonation.
 19"""
 20from = "now-9m"
 21index = ["filebeat-*", "logs-azure.signinlogs-*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "Entra ID User Sign-in with Unusual Client"
 25note = """## Triage and analysis
 26
 27### Investigating Entra ID User Sign-in with Unusual Client
 28
 29This rule identifies rare Azure Entra apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity.
 30
 31### Possible investigation steps
 32
 33- Identify the source IP address from which the failed login attempts originated by reviewing `source.ip`. Determine if the IP is associated with known malicious activity using threat intelligence sources or if it belongs to a corporate VPN, proxy, or automation process.
 34- Analyze affected user accounts by reviewing `azure.signinlogs.properties.user_principal_name` to determine if they belong to privileged roles or high-value users. Look for patterns indicating multiple failed attempts across different users, which could suggest a password spraying attempt.
 35- Examine the authentication method used in `azure.signinlogs.properties.authentication_details` to identify which authentication protocols were attempted and why they failed. Legacy authentication methods may be more susceptible to brute-force attacks.
 36- Review the authentication error codes found in `azure.signinlogs.properties.status.error_code` to understand why the login attempts failed. Common errors include `50126` for invalid credentials, `50053` for account lockouts, `50055` for expired passwords, and `50056` for users without a password.
 37- Correlate failed logins with other sign-in activity by looking at `event.outcome`. Identify if there were any successful logins from the same user shortly after multiple failures or if there are different geolocations or device fingerprints associated with the same account.
 38- Review `azure.signinlogs.properties.app_id` to identify which applications were initiating the authentication attempts. Determine if these applications are Microsoft-owned, third-party, or custom applications and if they are authorized to access the resources.
 39- Check for any conditional access policies that may have been triggered by the failed login attempts by reviewing `azure.signinlogs.properties.authentication_requirement`. This can help identify if the failed attempts were due to policy enforcement or misconfiguration.
 40
 41## False positive analysis
 42
 43- Automated scripts or applications using non-interactive authentication may trigger this detection, particularly if they rely on legacy authentication protocols recorded in `azure.signinlogs.properties.authentication_protocol`.
 44- Corporate proxies or VPNs may cause multiple users to authenticate from the same IP, appearing as repeated failed attempts under `source.ip`.
 45- User account lockouts from forgotten passwords or misconfigured applications may show multiple authentication failures in `azure.signinlogs.properties.status.error_code`.
 46- Exclude known trusted IPs, such as corporate infrastructure, from alerts by filtering `source.ip`.
 47- Exclude known custom applications from `azure.signinlogs.properties.app_id` that are authorized to use non-interactive authentication.
 48- Ignore principals with a history of failed logins due to legitimate reasons, such as expired passwords or account lockouts, by filtering `azure.signinlogs.properties.user_principal_name`.
 49- Correlate sign-in failures with password reset events or normal user behavior before triggering an alert.
 50
 51## Response and remediation
 52
 53- Block the source IP address in `source.ip` if determined to be malicious.
 54- Reset passwords for all affected user accounts listed in `azure.signinlogs.properties.user_principal_name` and enforce stronger password policies.
 55- Ensure basic authentication is disabled for all applications using legacy authentication protocols listed in `azure.signinlogs.properties.authentication_protocol`.
 56- Enable multi-factor authentication (MFA) for impacted accounts to mitigate credential-based attacks.
 57- Review conditional access policies to ensure they are correctly configured to block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
 58- Review Conditional Access policies to enforce risk-based authentication and block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
 59- Implement a zero-trust security model by enforcing least privilege access and continuous authentication.
 60- Regularly review and update conditional access policies to ensure they are effective against evolving threats.
 61- Restrict the use of legacy authentication protocols by disabling authentication methods listed in `azure.signinlogs.properties.client_app_used`.
 62- Regularly audit authentication logs in `azure.signinlogs` to detect abnormal login behavior and ensure early detection of potential attacks.
 63- Regularly rotate client credentials and secrets for applications using non-interactive authentication to reduce the risk of credential theft.
 64"""
 65references = ["https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf"]
 66risk_score = 47
 67rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd"
 68severity = "medium"
 69tags = [
 70    "Domain: Cloud",
 71    "Domain: Identity",
 72    "Data Source: Azure",
 73    "Data Source: Entra ID",
 74    "Data Source: Entra ID Sign-in",
 75    "Use Case: Identity and Access Audit",
 76    "Use Case: Threat Detection",
 77    "Tactic: Initial Access",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "new_terms"
 82
 83query = '''
 84event.dataset: "azure.signinlogs" and event.category: "authentication"
 85    and azure.signinlogs.properties.is_interactive: false
 86    and azure.signinlogs.properties.user_type: "Member"
 87    and not azure.signinlogs.properties.client_app_used: "Browser"
 88    and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK"
 89    and not azure.signinlogs.properties.app_id: (
 90        "1b3c667f-cde3-4090-b60b-3d2abd0117f0" or
 91        "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or
 92        "4b0964e4-58f1-47f4-a552-e2e1fc56dcd7" or
 93        "ecd6b820-32c2-49b6-98a6-444530e5a77a" or
 94        "268761a2-03f3-40df-8a8b-c3db24145b6b" or
 95        "fc0f3af4-6835-4174-b806-f7db311fd2f3" or
 96        "de50c81f-5f80-4771-b66b-cebd28ccdfc1" or
 97        "ab9b8c07-8f02-4f72-87fa-80105867a763" or
 98        "6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3" or
 99        "d7b530a4-7680-4c23-a8bf-c52c121d2e87" or
100        "52c2e0b5-c7b6-4d11-a89c-21e42bcec444" or
101        "38aa3b87-a06d-4817-b275-7a316988d93b" or
102        "27922004-5251-4030-b22d-91ecd9a37ea4" or
103        "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" or
104        "cab96880-db5b-4e15-90a7-f3f1d62ffe39" or
105        "3a4d129e-7f50-4e0d-a7fd-033add0a29f4" or
106        "29d9ed98-a469-4536-ade2-f981bc1d605e" or
107        "c0ab8ce9-e9a0-42e7-b064-33d422df41f1" or
108        "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7" or
109        "4813382a-8fa7-425e-ab75-3b753aab3abb" or
110        "08e18876-6177-487e-b8b5-cf950c1e598c" or
111        "0ec893e0-5785-4de6-99da-4ed124e5296c" or
112        "d3590ed6-52b3-4102-aeff-aad2292ab01c" or
113        "0dc2408a-bbc0-4238-871e-13b372f0200f" or
114        "4813382a-8fa7-425e-ab75-3b753aab3abb" or
115        "af124e86-4e96-495a-b70a-90f90ab96707" or
116        "e9c51622-460d-4d3d-952d-966a5b1da34c" or
117        "ecd6b820-32c2-49b6-98a6-444530e5a77a" or
118        "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34" or
119        "e2ef5054-0287-4db6-afa3-013d96881fd3"
120    )
121'''
122
123
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1078"
128name = "Valid Accounts"
129reference = "https://attack.mitre.org/techniques/T1078/"
130[[rule.threat.technique.subtechnique]]
131id = "T1078.004"
132name = "Cloud Accounts"
133reference = "https://attack.mitre.org/techniques/T1078/004/"
134
135
136
137[rule.threat.tactic]
138id = "TA0001"
139name = "Initial Access"
140reference = "https://attack.mitre.org/tactics/TA0001/"
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1528"
145name = "Steal Application Access Token"
146reference = "https://attack.mitre.org/techniques/T1528/"
147
148
149[rule.threat.tactic]
150id = "TA0006"
151name = "Credential Access"
152reference = "https://attack.mitre.org/tactics/TA0006/"
153
154[rule.investigation_fields]
155field_names = [
156    "azure.signinlogs.properties.user_principal_name",
157    "azure.signinlogs.properties.user_id",
158    "azure.signinlogs.properties.app_id",
159    "azure.signinlogs.properties.app_display_name",
160    "azure.signinlogs.properties.client_app_used",
161    "azure.signinlogs.properties.incoming_token_type",
162    "azure.signinlogs.properties.authentication_protocol",
163    "azure.signinlogs.properties.authentication_requirement",
164    "azure.signinlogs.properties.token_issuer_type",
165    "azure.signinlogs.properties.resource_display_name",
166    "source.ip",
167    "source.as.number",
168    "source.geo.country_name",
169    "azure.signinlogs.properties.correlation_id",
170    "azure.signinlogs.properties.session_id",
171]
172
173[rule.new_terms]
174field = "new_terms_fields"
175value = ["azure.signinlogs.properties.user_principal_name", "azure.signinlogs.properties.app_id"]
176[[rule.new_terms.history_window_start]]
177field = "history_window_start"
178value = "now-14d"

Triage and analysis

Investigating Entra ID User Sign-in with Unusual Client

This rule identifies rare Azure Entra apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity.

Possible investigation steps

  • Identify the source IP address from which the failed login attempts originated by reviewing source.ip. Determine if the IP is associated with known malicious activity using threat intelligence sources or if it belongs to a corporate VPN, proxy, or automation process.
  • Analyze affected user accounts by reviewing azure.signinlogs.properties.user_principal_name to determine if they belong to privileged roles or high-value users. Look for patterns indicating multiple failed attempts across different users, which could suggest a password spraying attempt.
  • Examine the authentication method used in azure.signinlogs.properties.authentication_details to identify which authentication protocols were attempted and why they failed. Legacy authentication methods may be more susceptible to brute-force attacks.
  • Review the authentication error codes found in azure.signinlogs.properties.status.error_code to understand why the login attempts failed. Common errors include 50126 for invalid credentials, 50053 for account lockouts, 50055 for expired passwords, and 50056 for users without a password.
  • Correlate failed logins with other sign-in activity by looking at event.outcome. Identify if there were any successful logins from the same user shortly after multiple failures or if there are different geolocations or device fingerprints associated with the same account.
  • Review azure.signinlogs.properties.app_id to identify which applications were initiating the authentication attempts. Determine if these applications are Microsoft-owned, third-party, or custom applications and if they are authorized to access the resources.
  • Check for any conditional access policies that may have been triggered by the failed login attempts by reviewing azure.signinlogs.properties.authentication_requirement. This can help identify if the failed attempts were due to policy enforcement or misconfiguration.

False positive analysis

  • Automated scripts or applications using non-interactive authentication may trigger this detection, particularly if they rely on legacy authentication protocols recorded in azure.signinlogs.properties.authentication_protocol.
  • Corporate proxies or VPNs may cause multiple users to authenticate from the same IP, appearing as repeated failed attempts under source.ip.
  • User account lockouts from forgotten passwords or misconfigured applications may show multiple authentication failures in azure.signinlogs.properties.status.error_code.
  • Exclude known trusted IPs, such as corporate infrastructure, from alerts by filtering source.ip.
  • Exclude known custom applications from azure.signinlogs.properties.app_id that are authorized to use non-interactive authentication.
  • Ignore principals with a history of failed logins due to legitimate reasons, such as expired passwords or account lockouts, by filtering azure.signinlogs.properties.user_principal_name.
  • Correlate sign-in failures with password reset events or normal user behavior before triggering an alert.

Response and remediation

  • Block the source IP address in source.ip if determined to be malicious.
  • Reset passwords for all affected user accounts listed in azure.signinlogs.properties.user_principal_name and enforce stronger password policies.
  • Ensure basic authentication is disabled for all applications using legacy authentication protocols listed in azure.signinlogs.properties.authentication_protocol.
  • Enable multi-factor authentication (MFA) for impacted accounts to mitigate credential-based attacks.
  • Review conditional access policies to ensure they are correctly configured to block unauthorized access attempts recorded in azure.signinlogs.properties.authentication_requirement.
  • Review Conditional Access policies to enforce risk-based authentication and block unauthorized access attempts recorded in azure.signinlogs.properties.authentication_requirement.
  • Implement a zero-trust security model by enforcing least privilege access and continuous authentication.
  • Regularly review and update conditional access policies to ensure they are effective against evolving threats.
  • Restrict the use of legacy authentication protocols by disabling authentication methods listed in azure.signinlogs.properties.client_app_used.
  • Regularly audit authentication logs in azure.signinlogs to detect abnormal login behavior and ensure early detection of potential attacks.
  • Regularly rotate client credentials and secrets for applications using non-interactive authentication to reduce the risk of credential theft.

References

  • ®5^òè'�ØÇúswéi¥2<Žñòšæ—æšæ£å7Í÷šw”Ç6›áÒ¹]í¸&õòbÒ@J"jv%GÈV«Ÿb ZøâG)œ§ã(¾g˜Ý‡øà;@h´z.P-;|pÄÙÎã³×üê%Ø% !ÕüÞYO6äÞÍ.J ߸º¹¸Õ–²àԔDž‚Û{¢òø3ÅT¤ÍŸ;¾%Þll†Ä±$=¨e~H¸2ý—gx€â;Ñ™¨Tû;a [u)Òõ¢f³àõj...


    Read More

Related rules

to-top