Entra ID Register Device with Unusual User Agent (Azure AD Join)

  1[metadata]
  2creation_date = "2026/05/15"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/05/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful Microsoft Entra ID audit events for Register device where additional details indicate an Azure AD join
 11and the recorded user agent is not one of the common native registration clients (Dsreg, DeviceRegistrationClient, or
 12Dalvik-based Android enrollment). Legitimate Windows and standard mobile enrollment flows often present predictable
 13user-agent strings; unexpected clients may reflect scripted registration, third-party tooling, or adversary-driven device
 14registration used for persistence or token abuse. Baseline approved provisioning tools and MDM integrations before tuning.
 15"""
 16false_positives = [
 17    """
 18    Custom device management agents, OEM enrollment clients, or updated Microsoft clients that use new user-agent strings
 19    may match. Add exclusions for known `azure.auditlogs.properties.userAgent` values or enrollment programs after review.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-azure.auditlogs-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Entra ID Register Device with Unusual User Agent (Azure AD Join)"
 27note = """## Triage and analysis
 28
 29### Investigating Entra ID Register Device with Unusual User Agent (Azure AD Join)
 30
 31Review `azure.auditlogs.properties.initiated_by.user.userPrincipalName`, source IP fields on the audit event,
 32`azure.auditlogs.properties.target_resources.0.display_name` for the device name, and
 33`azure.correlation_id` for related audit entries.
 34
 35Compare `azure.auditlogs.properties.userAgent` to your organization's standard Autopilot, Intune, and Windows enrollment
 36clients.
 37
 38### Possible investigation steps
 39
 40- Confirm whether the user intentionally joined a device and whether the user agent matches a known provisioning package.
 41- Pivot to `azure.signinlogs` for the same principal and timeframe for risky sign-ins or token broker activity.
 42- Search for other `Register device` events from the same IP or user agent across the tenant.
 43
 44### Response and remediation
 45
 46- If malicious, remove the device in Entra ID, revoke refresh and primary refresh tokens for the user, and reset credentials per policy.
 47- Tighten device registration and join controls via Conditional Access and device compliance policies.
 48"""
 49references = [
 50    "https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join",
 51    "https://github.com/dirkjanm/ROADtools",
 52]
 53risk_score = 47
 54rule_id = "d4695889-0410-4e7b-a4aa-59be525a11a6"
 55severity = "medium"
 56tags = [
 57    "Domain: Cloud",
 58    "Domain: Identity",
 59    "Data Source: Azure",
 60    "Data Source: Microsoft Entra ID",
 61    "Data Source: Microsoft Entra ID Audit Logs",
 62    "Use Case: Threat Detection",
 63    "Tactic: Persistence",
 64    "Resources: Investigation Guide",
 65]
 66timestamp_override = "event.ingested"
 67type = "query"
 68query = '''
 69data_stream.dataset:"azure.auditlogs" and event.action:"Register device" and
 70event.outcome:(success or Success) and
 71azure.auditlogs.properties.userAgent:(* and not (Dsreg* or DeviceRegistrationClient or Dalvik*)) and
 72azure.auditlogs.properties.additional_details.value:"Azure AD join"
 73'''
 74
 75[rule.investigation_fields]
 76field_names = [
 77    "@timestamp",
 78    "event.action",
 79    "event.outcome",
 80    "azure.auditlogs.properties.userAgent",
 81    "azure.auditlogs.properties.additional_details.value",
 82    "azure.auditlogs.properties.initiated_by.user.userPrincipalName",
 83    "azure.auditlogs.properties.initiated_by.user.ipAddress",
 84    "azure.auditlogs.properties.target_resources.0.display_name",
 85    "azure.auditlogs.properties.target_resources.0.id",
 86    "azure.correlation_id",
 87]
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1098"
 94name = "Account Manipulation"
 95reference = "https://attack.mitre.org/techniques/T1098/"
 96
 97[[rule.threat.technique.subtechnique]]
 98id = "T1098.005"
 99name = "Device Registration"
100reference = "https://attack.mitre.org/techniques/T1098/005/"
101
102[rule.threat.tactic]
103id = "TA0003"
104name = "Persistence"
105reference = "https://attack.mitre.org/tactics/TA0003/"