[New Rule] Entra ID User Signed In from Unusual Device (#4804)

* new rule Entra ID User Signed In from Unusual Device

* adjusted patch version

* adjusted patch version

* updating patch version

detection_rules/etc/non-ecs-schema.json

@@ -179,7 +179,8 @@
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword",
     "azure.signinlogs.properties.original_transfer_method": "keyword",
     "azure.auditlogs.properties.target_resources.0.display_name": "keyword",
-    "azure.signinlogs.properties.authentication_details.authentication_method": "keyword"
+    "azure.signinlogs.properties.authentication_details.authentication_method": "keyword",
+    "azure.signinlogs.properties.token_protection_status_details.sign_in_session_status": "keyword"
   },
   "logs-azure.activitylogs-*": {
     "azure.activitylogs.properties.authentication_protocol": "keyword",

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.20"
+version = "1.2.21"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml

@@ -0,0 +1,138 @@
+[metadata]
+creation_date = "2025/06/16"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/06/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may
+indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing
+the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a
+new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.signinlogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Entra ID User Signed In from Unusual Device"
+note = """## Triage and analysis
+
+### Investigating Entra ID User Signed In from Unusual Device
+
+This rule detects when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
+
+### Possible investigation steps
+- Review the `azure.signinlogs.properties.user_principal_name` field to identify the user associated with the sign-in.
+- Check the `azure.signinlogs.properties.device_detail.device_id` field to identify the device used for the sign-in.
+- Review `azure.signinlogs.properties.incoming_token_type` to determine what tpe of security token was used for the sign-in, such as a Primary Refresh Token (PRT).
+- Examine `azure.signinlogs.category` to determine if these were non-interactive or interactive sign-ins.
+- Check the geolocation of the sign-in by reviewing `source.geo.country_name` and `source.geo.city_name` to identify the location of the device used for the sign-in. If these are unusual for the user, it may indicate a potential compromise.
+- Review `azure.signinlogs.properties.app_id` to determine which client application was used for the sign-in. If the application is not recognized or expected, it may indicate unauthorized access. Adversaries use first-party client IDs to blend in with legitimate traffic.
+- Examine `azure.signinlogs.properties.resource_id` to determine what resource the security token has in scope and/or is requesting access to. If the resource is not recognized or expected, it may indicate unauthorized access. Excessive access to Graph API is common post-compromise behavior.
+- Review the identity protection risk status by checking `azure.signinlogs.properties.risk_level` and `azure.signinlogs.properties.risk_detail` to determine if the sign-in was flagged as risky by Entra ID Protection.
+
+### False positive analysis
+- Legitimate users may sign in from new devices, such as when using a new laptop or mobile device. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users or device IDs.
+- Environments where users frequently change devices, such as in a corporate setting with rotating hardware, may generate false positives.
+- Users may use both an endpoint and mobile device for sign-ins, which could trigger this rule.
+
+### Response and remediation
+- If the sign-in is confirmed to be suspicious or unauthorized, take immediate action to revoke the access token and prevent further access.
+- Disable the user account temporarily to prevent any potential compromise or unauthorized access.
+- Review the user's recent sign-in activity and access patterns to identify any potential compromise or unauthorized access.
+- If the user account is compromised, initiate a password reset and enforce multi-factor authentication (MFA) for the user.
+- Review the conditional access policies in place to ensure they are sufficient to prevent unauthorized access to sensitive resources.
+- Identify the registered Entra ID device by reviewing `azure.signinlogs.properties.device_detail.display_name` and confirm it is expected for the user or organization. If it is not expected, consider removing the device registration.
+- Consider adding exceptions for verified devices that are known to be used by the user to reduce false-positives.
+"""
+risk_score = 21
+rule_id = "72c91fc0-4ac0-11f0-811f-f661ea17fbcd"
+setup = """#### Required Microsoft Entra ID Sign-In Logs
+This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to be enabled and configured to collect audit and activity logs via Azure Event Hub.
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "azure.signinlogs" and
+    event.category: "authentication" and
+    azure.signinlogs.properties.user_type: "Member" and
+    azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
+    not azure.signinlogs.properties.device_detail.device_id: "" and
+    azure.signinlogs.properties.user_principal_name: *
+'''
+
+[rule.investigation_fields]
+field_names = [
+    "azure.signinlogs.properties.user_principal_name",
+    "azure.signinlogs.properties.device_detail.device_id",
+    "azure.signinlogs.properties.incoming_token_type",
+    "azure.signinlogs.category",
+    "source.geo.country_name",
+    "source.geo.city_name",
+    "source.address",
+    "azure.signinlogs.properties.app_id",
+    "azure.signinlogs.properties.resource_id",
+    "azure.signinlogs.properties.risk_level",
+    "azure.signinlogs.properties.risk_detail",
+]
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.005"
+name = "Device Registration"
+reference = "https://attack.mitre.org/techniques/T1098/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = [
+    "azure.signinlogs.properties.user_principal_name",
+    "azure.signinlogs.properties.device_detail.device_id",
+]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
+
+