Data Source: Entra ID Sign-in Logs | Detection.FYI

Microsoft Azure or Mail Sign-in from a Suspicious Source

May 6, 2025 · Domain: Cloud Domain: SaaS Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Logs Data Source: Microsoft 365 Data Source: Microsoft 365 Audit Logs Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Initial Access Resources: Investigation Guide Rule Type: Higher-Order Rule ·
Share on:

This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip. Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud resources.

Read More
Suspicious Activity via Auth Broker On-Behalf-of Principal User

May 6, 2025 · Domain: Cloud Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Logs Use Case: Identity and Access Audit Use Case: Threat Detection Resources: Investigation Guide Tactic: Defense Evasion Tactic: Persistence ·
Share on:

Identifies suspicious activity from the Microsoft Authentication Broker in Microsoft Entra ID sign-in logs. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to register a device and access Microsoft services as a user. The pattern includes sign-ins from multiple IPs across services (Microsoft Graph, DRS, AAD) using the Authentication Broker client on behalf of a principal user.

Read More