Azure Entra ID Rare App ID for Principal Authentication

  1[metadata]
  2creation_date = "2025/03/10"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/03/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies rare Azure Entra ID apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen
 11credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may
 12indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The
 13app ID specified may not be commonly used by the user based on their historical sign-in activity.
 14"""
 15from = "now-9m"
 16index = ["filebeat-*", "logs-azure*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "Azure Entra ID Rare App ID for Principal Authentication"
 20note = """## Triage and analysis
 21
 22### Investigating Azure Entra ID Rare App ID for Principal Authentication
 23
 24This rule identifies rare Azure Entra apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity.
 25
 26**This is a New Terms rule that focuses on first occurrence of the client `azure.signinlogs.properties.app_id` requesting authentication on-behalf-of the principal user `azure.signinlogs.properties.user_principal_name` in the last 14-days.**
 27
 28### Possible investigation steps
 29
 30- Identify the source IP address from which the failed login attempts originated by reviewing `source.ip`. Determine if the IP is associated with known malicious activity using threat intelligence sources or if it belongs to a corporate VPN, proxy, or automation process.
 31- Analyze affected user accounts by reviewing `azure.signinlogs.properties.user_principal_name` to determine if they belong to privileged roles or high-value users. Look for patterns indicating multiple failed attempts across different users, which could suggest a password spraying attempt.
 32- Examine the authentication method used in `azure.signinlogs.properties.authentication_details` to identify which authentication protocols were attempted and why they failed. Legacy authentication methods may be more susceptible to brute-force attacks.
 33- Review the authentication error codes found in `azure.signinlogs.properties.status.error_code` to understand why the login attempts failed. Common errors include `50126` for invalid credentials, `50053` for account lockouts, `50055` for expired passwords, and `50056` for users without a password.
 34- Correlate failed logins with other sign-in activity by looking at `event.outcome`. Identify if there were any successful logins from the same user shortly after multiple failures or if there are different geolocations or device fingerprints associated with the same account.
 35- Review `azure.signinlogs.properties.app_id` to identify which applications were initiating the authentication attempts. Determine if these applications are Microsoft-owned, third-party, or custom applications and if they are authorized to access the resources.
 36- Check for any conditional access policies that may have been triggered by the failed login attempts by reviewing `azure.signinlogs.properties.authentication_requirement`. This can help identify if the failed attempts were due to policy enforcement or misconfiguration.
 37
 38## False positive analysis
 39
 40### Common benign scenarios
 41- Automated scripts or applications using non-interactive authentication may trigger this detection, particularly if they rely on legacy authentication protocols recorded in `azure.signinlogs.properties.authentication_protocol`.
 42- Corporate proxies or VPNs may cause multiple users to authenticate from the same IP, appearing as repeated failed attempts under `source.ip`.
 43- User account lockouts from forgotten passwords or misconfigured applications may show multiple authentication failures in `azure.signinlogs.properties.status.error_code`.
 44
 45### How to reduce false positives
 46- Exclude known trusted IPs, such as corporate infrastructure, from alerts by filtering `source.ip`.
 47- Exlcude known custom applications from `azure.signinlogs.properties.app_id` that are authorized to use non-interactive authentication.
 48- Ignore principals with a history of failed logins due to legitimate reasons, such as expired passwords or account lockouts, by filtering `azure.signinlogs.properties.user_principal_name`.
 49- Correlate sign-in failures with password reset events or normal user behavior before triggering an alert.
 50
 51## Response and remediation
 52
 53### Immediate actions
 54- Block the source IP address in `source.ip` if determined to be malicious.
 55- Reset passwords for all affected user accounts listed in `azure.signinlogs.properties.user_principal_name` and enforce stronger password policies.
 56- Ensure basic authentication is disabled for all applications using legacy authentication protocols listed in `azure.signinlogs.properties.authentication_protocol`.
 57- Enable multi-factor authentication (MFA) for impacted accounts to mitigate credential-based attacks.
 58- Review conditional access policies to ensure they are correctly configured to block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
 59- Review Conditional Access policies to enforce risk-based authentication and block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
 60
 61### Long-term mitigation
 62- Implement a zero-trust security model by enforcing least privilege access and continuous authentication.
 63- Regularly review and update conditional access policies to ensure they are effective against evolving threats.
 64- Restrict the use of legacy authentication protocols by disabling authentication methods listed in `azure.signinlogs.properties.client_app_used`.
 65- Regularly audit authentication logs in `azure.signinlogs` to detect abnormal login behavior and ensure early detection of potential attacks.
 66- Regularly rotate client credentials and secrets for applications using non-interactive authentication to reduce the risk of credential theft.
 67"""
 68references = ["https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf"]
 69risk_score = 47
 70rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd"
 71severity = "medium"
 72tags = [
 73    "Domain: Cloud",
 74    "Data Source: Azure",
 75    "Data Source: Entra ID",
 76    "Data Source: Entra ID Sign-in",
 77    "Use Case: Identity and Access Audit",
 78    "Use Case: Threat Detection",
 79    "Tactic: Initial Access",
 80    "Resources: Investigation Guide",
 81]
 82timestamp_override = "event.ingested"
 83type = "new_terms"
 84
 85query = '''
 86event.dataset: "azure.signinlogs" and event.category: "authentication"
 87    and azure.signinlogs.properties.is_interactive: false
 88    and azure.signinlogs.properties.user_type: "Member"
 89    and not azure.signinlogs.properties.client_app_used: "Browser"
 90    and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK"
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1078"
 98name = "Valid Accounts"
 99reference = "https://attack.mitre.org/techniques/T1078/"
100[[rule.threat.technique.subtechnique]]
101id = "T1078.004"
102name = "Cloud Accounts"
103reference = "https://attack.mitre.org/techniques/T1078/004/"
104
105
106[rule.threat.tactic]
107id = "TA0001"
108name = "Initial Access"
109reference = "https://attack.mitre.org/tactics/TA0001/"
110
111[rule.new_terms]
112field = "new_terms_fields"
113value = ["azure.signinlogs.properties.user_principal_name", "azure.signinlogs.properties.app_id"]
114[[rule.new_terms.history_window_start]]
115field = "history_window_start"
116value = "now-14d"