[New Rule] Entra ID Device Code Auth with Broker Client (#3819)

* new rule 'Entra ID Device Code Auth with Broker Client'

* updated azure integration, non-ecs updated, rule date updated

* updates tags

* updated query to add Azure activity logs

* merging in main

* updated azure manifest and schemas

* updated azure manifest and schemas

* updated index map for summary and changelog

* removed string imports

* reverting packaging.py updates

* adjusted query

* adjusted query to be more optimized

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 99a4d629c9)

detection_rules/etc/non-ecs-schema.json

@@ -148,5 +148,12 @@
   "logs-aws.cloudtrail-*": {
     "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
     "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword"
+  },
+  "logs-azure.signinlogs-*": {
+    "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"
+  },
+  "logs-azure.activitylogs-*": {
+    "azure.activitylogs.properties.authentication_protocol": "keyword",
+    "azure.activitylogs.properties.appId": "keyword"
   }
 }

rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml

@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2024/06/24"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2024/06/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Entra ID Device Code Auth with Broker Client"
+references =[
+    "https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf",
+    "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in",
+    "https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs"
+]
+risk_score = 47
+rule_id = "a83b3dac-325a-11ef-b3e6-f661ea17fbce"
+setup = """
+This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.
+"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Credential Access",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+ event.dataset:(azure.activitylogs or azure.signinlogs)
+    and azure.signinlogs.properties.authentication_protocol:deviceCode
+    and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e
+    and event.outcome:success or (
+        azure.activitylogs.properties.appId:29d9ed98-a469-4536-ade2-f981bc1d605e
+        and azure.activitylogs.properties.authentication_protocol:deviceCode)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1528"
+name = "Steal Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1528/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+