diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index e92512c2691..da8c29614c4 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,15 +2,20 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2025/12/15" [rule] author = ["Elastic"] description = """ -Identifies rare Azure Entra ID apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen -credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may -indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The -app ID specified may not be commonly used by the user based on their historical sign-in activity. +Detects rare non-interactive sign-ins where an Entra ID client application authenticates on behalf of a principal user +using an application (client) ID that is not commonly associated with that user’s historical sign-in behavior. +Adversaries with stolen credentials or OAuth tokens may abuse Entra ID–managed or first-party client IDs to perform +on-behalf-of (OBO) authentication, blending into legitimate cloud traffic while avoiding traditional interactive sign-in +flows. This technique is commonly observed in OAuth phishing, token theft, and access broker operations, and may precede +lateral movement, persistence, or data access via Microsoft Graph or other cloud resources. The rule uses a New Terms +approach to identify first-seen combinations of the UPN and Client ID within a defined history window, helping surface +unexpected client usage that may indicate compromised identities, malicious automation, or unauthorized application +impersonation. """ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] @@ -23,8 +28,6 @@ note = """## Triage and analysis This rule identifies rare Azure Entra apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. -**This is a New Terms rule that focuses on first occurrence of the client `azure.signinlogs.properties.app_id` requesting authentication on-behalf-of the principal user `azure.signinlogs.properties.user_principal_name` in the last 14-days.** - ### Possible investigation steps - Identify the source IP address from which the failed login attempts originated by reviewing `source.ip`. Determine if the IP is associated with known malicious activity using threat intelligence sources or if it belongs to a corporate VPN, proxy, or automation process. @@ -37,28 +40,22 @@ This rule identifies rare Azure Entra apps IDs requesting authentication on-beha ## False positive analysis -### Common benign scenarios - Automated scripts or applications using non-interactive authentication may trigger this detection, particularly if they rely on legacy authentication protocols recorded in `azure.signinlogs.properties.authentication_protocol`. - Corporate proxies or VPNs may cause multiple users to authenticate from the same IP, appearing as repeated failed attempts under `source.ip`. - User account lockouts from forgotten passwords or misconfigured applications may show multiple authentication failures in `azure.signinlogs.properties.status.error_code`. - -### How to reduce false positives - Exclude known trusted IPs, such as corporate infrastructure, from alerts by filtering `source.ip`. -- Exlcude known custom applications from `azure.signinlogs.properties.app_id` that are authorized to use non-interactive authentication. +- Exclude known custom applications from `azure.signinlogs.properties.app_id` that are authorized to use non-interactive authentication. - Ignore principals with a history of failed logins due to legitimate reasons, such as expired passwords or account lockouts, by filtering `azure.signinlogs.properties.user_principal_name`. - Correlate sign-in failures with password reset events or normal user behavior before triggering an alert. ## Response and remediation -### Immediate actions - Block the source IP address in `source.ip` if determined to be malicious. - Reset passwords for all affected user accounts listed in `azure.signinlogs.properties.user_principal_name` and enforce stronger password policies. - Ensure basic authentication is disabled for all applications using legacy authentication protocols listed in `azure.signinlogs.properties.authentication_protocol`. - Enable multi-factor authentication (MFA) for impacted accounts to mitigate credential-based attacks. - Review conditional access policies to ensure they are correctly configured to block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`. - Review Conditional Access policies to enforce risk-based authentication and block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`. - -### Long-term mitigation - Implement a zero-trust security model by enforcing least privilege access and continuous authentication. - Regularly review and update conditional access policies to ensure they are effective against evolving threats. - Restrict the use of legacy authentication protocols by disabling authentication methods listed in `azure.signinlogs.properties.client_app_used`. @@ -71,6 +68,7 @@ rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", @@ -104,7 +102,21 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" "27922004-5251-4030-b22d-91ecd9a37ea4" or "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" or "cab96880-db5b-4e15-90a7-f3f1d62ffe39" or - "3a4d129e-7f50-4e0d-a7fd-033add0a29f4" + "3a4d129e-7f50-4e0d-a7fd-033add0a29f4" or + "29d9ed98-a469-4536-ade2-f981bc1d605e" or + "c0ab8ce9-e9a0-42e7-b064-33d422df41f1" or + "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7" or + "4813382a-8fa7-425e-ab75-3b753aab3abb" or + "08e18876-6177-487e-b8b5-cf950c1e598c" or + "0ec893e0-5785-4de6-99da-4ed124e5296c" or + "d3590ed6-52b3-4102-aeff-aad2292ab01c" or + "0dc2408a-bbc0-4238-871e-13b372f0200f" or + "4813382a-8fa7-425e-ab75-3b753aab3abb" or + "af124e86-4e96-495a-b70a-90f90ab96707" or + "e9c51622-460d-4d3d-952d-966a5b1da34c" or + "ecd6b820-32c2-49b6-98a6-444530e5a77a" or + "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34" or + "e2ef5054-0287-4db6-afa3-013d96881fd3" ) ''' @@ -121,6 +133,7 @@ name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -138,6 +151,25 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.investigation_fields] +field_names = [ + "azure.signinlogs.properties.user_principal_name", + "azure.signinlogs.properties.user_id", + "azure.signinlogs.properties.app_id", + "azure.signinlogs.properties.app_display_name", + "azure.signinlogs.properties.client_app_used", + "azure.signinlogs.properties.incoming_token_type", + "azure.signinlogs.properties.authentication_protocol", + "azure.signinlogs.properties.authentication_requirement", + "azure.signinlogs.properties.token_issuer_type", + "azure.signinlogs.properties.resource_display_name", + "source.ip", + "source.as.number", + "source.geo.country_name", + "azure.signinlogs.properties.correlation_id", + "azure.signinlogs.properties.session_id", +] + [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name", "azure.signinlogs.properties.app_id"]