Entra ID User Signed In from Unusual Device

  1[metadata]
  2creation_date = "2025/06/16"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/06/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may
 11indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing
 12the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a
 13new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
 14"""
 15from = "now-9m"
 16index = ["filebeat-*", "logs-azure.signinlogs-*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "Entra ID User Signed In from Unusual Device"
 20note = """## Triage and analysis
 21
 22### Investigating Entra ID User Signed In from Unusual Device
 23
 24This rule detects when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
 25
 26### Possible investigation steps
 27- Review the `azure.signinlogs.properties.user_principal_name` field to identify the user associated with the sign-in.
 28- Check the `azure.signinlogs.properties.device_detail.device_id` field to identify the device used for the sign-in.
 29- Review `azure.signinlogs.properties.incoming_token_type` to determine what tpe of security token was used for the sign-in, such as a Primary Refresh Token (PRT).
 30- Examine `azure.signinlogs.category` to determine if these were non-interactive or interactive sign-ins.
 31- Check the geolocation of the sign-in by reviewing `source.geo.country_name` and `source.geo.city_name` to identify the location of the device used for the sign-in. If these are unusual for the user, it may indicate a potential compromise.
 32- Review `azure.signinlogs.properties.app_id` to determine which client application was used for the sign-in. If the application is not recognized or expected, it may indicate unauthorized access. Adversaries use first-party client IDs to blend in with legitimate traffic.
 33- Examine `azure.signinlogs.properties.resource_id` to determine what resource the security token has in scope and/or is requesting access to. If the resource is not recognized or expected, it may indicate unauthorized access. Excessive access to Graph API is common post-compromise behavior.
 34- Review the identity protection risk status by checking `azure.signinlogs.properties.risk_level` and `azure.signinlogs.properties.risk_detail` to determine if the sign-in was flagged as risky by Entra ID Protection.
 35
 36### False positive analysis
 37- Legitimate users may sign in from new devices, such as when using a new laptop or mobile device. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users or device IDs.
 38- Environments where users frequently change devices, such as in a corporate setting with rotating hardware, may generate false positives.
 39- Users may use both an endpoint and mobile device for sign-ins, which could trigger this rule.
 40
 41### Response and remediation
 42- If the sign-in is confirmed to be suspicious or unauthorized, take immediate action to revoke the access token and prevent further access.
 43- Disable the user account temporarily to prevent any potential compromise or unauthorized access.
 44- Review the user's recent sign-in activity and access patterns to identify any potential compromise or unauthorized access.
 45- If the user account is compromised, initiate a password reset and enforce multi-factor authentication (MFA) for the user.
 46- Review the conditional access policies in place to ensure they are sufficient to prevent unauthorized access to sensitive resources.
 47- Identify the registered Entra ID device by reviewing `azure.signinlogs.properties.device_detail.display_name` and confirm it is expected for the user or organization. If it is not expected, consider removing the device registration.
 48- Consider adding exceptions for verified devices that are known to be used by the user to reduce false-positives.
 49"""
 50risk_score = 21
 51rule_id = "72c91fc0-4ac0-11f0-811f-f661ea17fbcd"
 52setup = """#### Required Microsoft Entra ID Sign-In Logs
 53This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to be enabled and configured to collect audit and activity logs via Azure Event Hub.
 54"""
 55severity = "low"
 56tags = [
 57    "Domain: Cloud",
 58    "Domain: Identity",
 59    "Use Case: Threat Detection",
 60    "Tactic: Persistence",
 61    "Data Source: Azure",
 62    "Data Source: Microsoft Entra ID",
 63    "Data Source: Microsoft Entra ID Sign-in Logs",
 64    "Resources: Investigation Guide",
 65]
 66timestamp_override = "event.ingested"
 67type = "new_terms"
 68
 69query = '''
 70event.dataset: "azure.signinlogs" and
 71    event.category: "authentication" and
 72    azure.signinlogs.properties.user_type: "Member" and
 73    azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
 74    not azure.signinlogs.properties.device_detail.device_id: "" and
 75    azure.signinlogs.properties.user_principal_name: *
 76'''
 77
 78[rule.investigation_fields]
 79field_names = [
 80    "azure.signinlogs.properties.user_principal_name",
 81    "azure.signinlogs.properties.device_detail.device_id",
 82    "azure.signinlogs.properties.incoming_token_type",
 83    "azure.signinlogs.category",
 84    "source.geo.country_name",
 85    "source.geo.city_name",
 86    "source.address",
 87    "azure.signinlogs.properties.app_id",
 88    "azure.signinlogs.properties.resource_id",
 89    "azure.signinlogs.properties.risk_level",
 90    "azure.signinlogs.properties.risk_detail",
 91]
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1098"
 97name = "Account Manipulation"
 98reference = "https://attack.mitre.org/techniques/T1098/"
 99[[rule.threat.technique.subtechnique]]
100id = "T1098.005"
101name = "Device Registration"
102reference = "https://attack.mitre.org/techniques/T1098/005/"
103
104
105
106[rule.threat.tactic]
107id = "TA0003"
108name = "Persistence"
109reference = "https://attack.mitre.org/tactics/TA0003/"
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1078"
114name = "Valid Accounts"
115reference = "https://attack.mitre.org/techniques/T1078/"
116[[rule.threat.technique.subtechnique]]
117id = "T1078.004"
118name = "Cloud Accounts"
119reference = "https://attack.mitre.org/techniques/T1078/004/"
120
121
122
123[rule.threat.tactic]
124id = "TA0001"
125name = "Initial Access"
126reference = "https://attack.mitre.org/tactics/TA0001/"
127
128[rule.new_terms]
129field = "new_terms_fields"
130value = [
131    "azure.signinlogs.properties.user_principal_name",
132    "azure.signinlogs.properties.device_detail.device_id",
133]
134[[rule.new_terms.history_window_start]]
135field = "history_window_start"
136value = "now-7d"