diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index d445e30039b..b74e5c28f4e 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,12 +2,12 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2025/12/15" [rule] author = ["Elastic"] description = """ -Identifies when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may +Identifies when a Microsoft Entra ID user signs in from a device that is not typically used by the user and is not managed, which may indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a new device to obtain a Primary Refresh Token (PRT) and maintain persistent access. @@ -16,10 +16,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID User Sign-in with Unusual Registered Device" +name = "Entra ID User Sign-in with Unusual Non-Managed Device" note = """## Triage and analysis -### Investigating Entra ID User Sign-in with Unusual Registered Device +### Investigating Entra ID User Sign-in with Unusual Non-Managed Device This rule detects when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a new device to obtain a Primary Refresh Token (PRT) and maintain persistent access. @@ -71,6 +71,7 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.user_type: "Member" and azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and + not azure.signinlogs.properties.device_detail.is_managed: true and not azure.signinlogs.properties.device_detail.device_id: "" and azure.signinlogs.properties.user_principal_name: * ''' @@ -133,6 +134,6 @@ value = [ ] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-14d"