[Rule Tuning] Entra ID OAuth user_impersonation Scope for Unusual User and Client (#5462)

Fixes #5461

rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/07/03"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/06"
+updated_date = "2025/12/15"
 
 [rule]
 author = ["Elastic"]
@@ -83,7 +83,7 @@ event.dataset: azure.signinlogs and
     azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
     azure.signinlogs.properties.user_type: "Member" and
     azure.signinlogs.properties.conditional_access_status: "notApplied" and
-    not user_agent.original: Mozilla*PKeyAuth/1.0 and
+    not user_agent.original: (Mozilla*PKeyAuth/1.0 or Microsoft*Authentication*iPhone*) and
     not azure.signinlogs.properties.device_detail.operating_system: (Ios* or Android*) and
     event.outcome: "success"
     and not azure.signinlogs.properties.app_id: (
@@ -91,7 +91,17 @@ event.dataset: azure.signinlogs and
         "6bc3b958-689b-49f5-9006-36d165f30e00" or
         "66a88757-258c-4c72-893c-3e8bed4d6899" or
         "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" or
-        "0000000c-0000-0000-c000-000000000000"
+        "0000000c-0000-0000-c000-000000000000" or
+        "0a5f63c0-b750-4f38-a71c-4fc0d58b89e2" or
+        "48af08dc-f6d2-435f-b2a7-069abd99c086" or
+        "ab9b8c07-8f02-4f72-87fa-80105867a763" or
+        "fc0f3af4-6835-4174-b806-f7db311fd2f3" or
+        "5e3ce6c0-2b1f-4285-8d4b-75ee78787346" or
+        "e8be65d6-d430-4289-a665-51bf2a194bda" or
+        "95de633a-083e-42f5-b444-a4295d8e9314" or
+        "d52792f4-ba38-424d-8140-ada5b883f293" or
+        "65d91a3d-ab74-42e6-8a2f-0add61688c74" or
+        "8c59ead7-d703-4a27-9e55-c96a0054c8d2"
     )
 '''