[Rule Tuning] Entra ID OAuth PRT Issuance to Non-Managed Device Detected

rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml

@@ -2,13 +2,13 @@
 creation_date = "2025/06/24"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2025/12/15"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies when a user signs in with a refresh token using the Microsoft Authentication Broker (MAB) client, followed by
-a Primary Refresh Token (PRT) sign-in from the same device within 1 hour. This pattern may indicate that an attacker has
+a Primary Refresh Token (PRT) sign-in from the same device within 1 hour from an unmanaged device. This pattern may indicate that an attacker has
 successfully registered a device using ROADtx and transitioned from short-term token access to long-term persistent
 access via PRTs. Excluding access to the Device Registration Service (DRS) ensures the PRT is being used beyond
 registration, often to access Microsoft 365 resources like Outlook or SharePoint.
@@ -18,12 +18,12 @@ index = ["filebeat-*", "logs-azure.signinlogs-*"]
 interval = "30m"
 language = "eql"
 license = "Elastic License v2"
-name = "Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected"
+name = "Entra ID OAuth PRT Issuance to Non-Managed Device Detected"
 note = """## Triage and analysis
 
-### Investigating Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected
+### Investigating Entra ID OAuth PRT Issuance to Non-Managed Device Detected
 
-This rule identifies a sequence where a Microsoft Entra ID user signs in using a refresh token issued to the Microsoft Authentication Broker (MAB), followed by a sign-in using a Primary Refresh Token (PRT) from the same device. This behavior is uncommon for normal user activity and strongly suggests adversarial behavior, particularly when paired with OAuth phishing and device registration tools like ROADtx. The use of PRT shortly after a refresh token sign-in typically indicates the attacker has obtained device trust and is now using the PRT to impersonate a fully compliant user+device pair.
+This rule identifies a sequence where a Microsoft Entra ID authenticates using a refresh token issued to the Microsoft Authentication Broker (MAB), followed by an authentication using a Primary Refresh Token (PRT) from the same unmanaged device. This behavior is uncommon for normal user activity and strongly suggests adversarial behavior, particularly when paired with OAuth phishing and device registration tools like ROADtx. The use of PRT shortly after a refresh token sign-in typically indicates the attacker has registered a virtual device and is now using the PRT to impersonate a registered user+device pair. The device in question is still marked as unmanaged, indicating it is not compliant with organizational policies and managed by Intune or other MDM solutions.
 
 ### Possible investigation steps
 - Identify the user principal and device from `azure.signinlogs.properties.user_principal_name` and `azure.signinlogs.properties.device_detail.device_id`.
@@ -83,7 +83,12 @@ sequence by azure.signinlogs.properties.user_id, azure.signinlogs.properties.dev
     event.dataset == "azure.signinlogs" and
     azure.signinlogs.properties.incoming_token_type == "primaryRefreshToken" and
     azure.signinlogs.properties.resource_display_name != "Device Registration Service" and
-    azure.signinlogs.result_signature == "SUCCESS"
+    azure.signinlogs.result_signature == "SUCCESS" and
+    azure.signinlogs.properties.device_detail.is_managed != true
+    and not (
+        azure.signinlogs.properties.app_display_name == "Windows Sign In" or
+        user_agent.original == "Windows-AzureAD-Authentication-Provider/1.0"
+    )
   ]
 '''