[Hunt Tuning] Entra ID Device Code Phishing / Update Drifted Docs (#5936)

Fixes #5935 Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2026-05-04 09:46:13 -04:00
parent a6fba3c728
commit 2d6094e1e4
9 changed files with 198 additions and 69 deletions
@@ -25,6 +25,7 @@ from logs-aws.cloudtrail-*
    event.outcome == "success" AND
    aws.cloudtrail.request_parameters LIKE "*phoneNumber*"
 | DISSECT user_agent.original "%{user_agent_name} %{?user_agent_remainder}"
+| KEEP target_time_window, cloud.account.id, aws.cloudtrail.user_identity.arn, cloud.region, source.address, user_agent_name
 | STATS sms_message_count = COUNT(*) by target_time_window, cloud.account.id, aws.cloudtrail.user_identity.arn, cloud.region, source.address, user_agent_name
 | WHERE sms_message_count > 30
 ```
@@ -24,6 +24,7 @@ from logs-aws.cloudtrail-*
 | DISSECT aws.cloudtrail.request_parameters "%{?protocol_key}=%{protocol}, %{?endpoint_key}=%{redacted}, %{?return_arn}=%{return_bool}, %{?topic_arn_key}=%{topic_arn}}"
 | DISSECT user_agent.original "%{user_agent_name} %{?user_agent_remainder}"
 | WHERE protocol == "email"
+| KEEP cloud.region, source.address, aws.cloudtrail.user_identity.arn, user_agent_name
 | STATS regional_topic_subscription_count = COUNT(*) by aws.cloudtrail.user_identity.arn, cloud.region, source.address, user_agent_name
 | WHERE regional_topic_subscription_count == 1
 | SORT regional_topic_subscription_count ASC
@@ -26,6 +26,7 @@ from logs-aws.cloudtrail-*
 | DISSECT aws.cloudtrail.user_identity.arn "%{?}:assumed-role/%{assumed_role_name}/%{entity}"
 | DISSECT user_agent.original "%{user_agent_name} %{?user_agent_remainder}"
 | WHERE STARTS_WITH(entity, "i-")
+| KEEP cloud.account.id, entity, assumed_role_name, cloud.region, user_agent_name
 | STATS regional_topic_created_count = COUNT(*) by cloud.account.id, entity, assumed_role_name, cloud.region, user_agent_name
 | SORT regional_topic_created_count ASC
 ```
@@ -26,6 +26,7 @@ from logs-aws.cloudtrail-*
 | DISSECT aws.cloudtrail.user_identity.arn "%{?}:assumed-role/%{assumed_role_name}/%{entity}"
 | DISSECT user_agent.original "%{user_agent_name} %{?user_agent_remainder}"
 | WHERE STARTS_WITH(entity, "i-")
+| KEEP cloud.account.id, entity, assumed_role_name, topic_arn, cloud.region, user_agent_name
 | STATS regional_topic_publish_count = COUNT(*) by cloud.account.id, entity, assumed_role_name, topic_arn, cloud.region, user_agent_name
 | SORT regional_topic_publish_count ASC
 ```
@@ -1,67 +1,129 @@
-# Azure Entra Device Code Authentication from Unusual Principal
+# Entra ID Device Code Authentication from Unusual Principal

 ---

 ## Metadata

 - **Author:** Elastic
- **Description:** This hunting query identifies Azure Entra sign-in logs where the authentication method used was Device Code Flow, which is often used for kiosk or IoT devices. If this authentication method is observed from a user or device that does not typically use it, it may indicate a potential compromise. This technique is common by adversaries conducting phishing campaigns with pre-registered device codes sent to targeted users whom are then redirected to Microsoft's device code authentication endpoint to initiation the workflow. The query filters for unusual authentication attempts based on the user principal name and the source address.
+- **Description:** This hunt identifies high-fidelity device code phishing follow-on activity in Azure Entra ID sign-in logs. Real device code phishing campaigns (Storm-2372, APT29, AADInternals/ROADTools/TokenSmith tradecraft) succeed when a victim completes the OAuth device code flow, granting the adversary tokens for first-party Microsoft client applications such as Microsoft Azure CLI, Microsoft Azure PowerShell, Microsoft Graph Command Line Tools, Windows Terminal, or Visual Studio Code. The adversary then exchanges those tokens against high-value resources — Azure Resource Manager (cloud control plane), Microsoft Graph (directory and mailbox enumeration), Office 365 Exchange Online (mail), or Windows Azure AD (directory) — typically from an unmanaged, non-inventoried device.
+
+This query filters away the dominant benign patterns observed in production telemetry: Microsoft Authentication Broker → Device Registration Service flows (legitimate device join), incoming `primaryRefreshToken` exchanges (post-auth refresh, not initial access), Microsoft-owned source ASNs, and well-managed compliant devices. What remains is the suspicious shape: a first-party CLI client + high-value resource + single-factor or no conditional access + missing device detail + non-Microsoft source ASN.

 - **UUID:** `b54528ca-eec8-11ef-b314-f661ea17fbce`
 - **Integration:** [azure](https://docs.elastic.co/integrations/azure)
 - **Language:** `[ES|QL]`
- **Source File:** [Azure Entra Device Code Authentication from Unusual Principal](../queries/entra_device_code_authentication_from_unusual_principal.toml)
+- **Source File:** [Entra ID Device Code Authentication from Unusual Principal](../queries/entra_device_code_authentication_from_unusual_principal.toml)

 ## Query

 ```sql
 FROM logs-azure.signinlogs-*

-// query Azure Entra Sign-in logs
+// scope to Entra ID sign-in events
 | WHERE @timestamp > now() - 14 day
-| WHERE event.dataset in ("azure.signinlogs")
-    and event.category == "authentication"
+  AND event.dataset == "azure.signinlogs"
+  AND event.category == "authentication"

-    // filter for device code workflows
-    // original transfer method indicates refresh tokens where device code was originally used
-    and (
-        azure.signinlogs.properties.authentication_protocol == "deviceCode" or
-        azure.signinlogs.properties.original_transfer_method == "Device code flow"
+// device code grant flow (initial or token exchange originating from device code)
+  AND (
+    azure.signinlogs.properties.authentication_protocol == "deviceCode"
+    OR azure.signinlogs.properties.original_transfer_method == "Device code flow"
  )

-// bucket authentication attempts by each day
-| EVAL target_time_window = DATE_TRUNC(1 days, @timestamp)
+// successful authentications only
+  AND azure.signinlogs.properties.status.error_code == 0

-// aggregate authentication attempts by user principal name, source address, and message
+// drop Microsoft Authentication Broker - benign device-join flow
+  AND azure.signinlogs.properties.app_id != "29d9ed98-a469-4536-ade2-f981bc1d605e"
+
+// drop Device Registration Service as resource - benign device-join target
+  AND azure.signinlogs.properties.resource_id != "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9"
+
+// drop primaryRefreshToken / refreshToken exchanges - we want initial token issuance, not refresh
+  AND (
+    azure.signinlogs.properties.incoming_token_type IS NULL
+    OR azure.signinlogs.properties.incoming_token_type NOT IN ("primaryRefreshToken", "refreshToken")
+  )
+
+// focus on first-party Microsoft CLI / dev tooling commonly abused in device code phishing
+  AND azure.signinlogs.properties.app_id IN (
+    "04b07795-8ddb-461a-bbee-02f9e1bf7b46",  // Microsoft Azure CLI
+    "1950a258-227b-4e31-a9cf-717495945fc2",  // Microsoft Azure PowerShell
+    "14d82eec-204b-4c2f-b7e8-296a70dab67e",  // Microsoft Graph Command Line Tools
+    "245e1dee-74ef-4257-a8c8-8208296e1dfd",  // Windows Terminal
+    "aebc6443-996d-45c2-90f0-388ff96faa56",  // Visual Studio Code
+    "1fec8e78-bce4-4aaf-ab1b-5451cc387264",  // Microsoft Teams
+    "d3590ed6-52b3-4102-aeff-aad2292ab01c",  // Microsoft Office
+    "ab9b8c07-8f02-4f72-87fa-80105867a763"   // OneDrive SyncEngine
+  )
+
+// focus on high-value target resources (cloud control plane, directory, mail, identity)
+  AND azure.signinlogs.properties.resource_id IN (
+    "797f4846-ba00-4fd7-ba43-dac1f8f63013",  // Azure Resource Manager
+    "00000003-0000-0000-c000-000000000000",  // Microsoft Graph
+    "00000002-0000-0ff1-ce00-000000000000",  // Office 365 Exchange Online
+    "00000002-0000-0000-c000-000000000000",  // Windows Azure Active Directory
+    "0000000a-0000-0000-c000-000000000000"   // Microsoft Intune
+  )
+
+// drop Microsoft-owned source ASNs (legitimate Azure-hosted operations)
+// re-enable if hunting Azure-infrastructure abuse
+  AND (source.as.number IS NULL OR source.as.number != 8075)
+
+// suspicious posture: SFA OR no conditional access OR missing device detail
+  AND (
+    azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
+    OR azure.signinlogs.properties.conditional_access_status == "notApplied"
+    OR (
+      azure.signinlogs.properties.device_detail.is_compliant IS NULL
+      AND azure.signinlogs.properties.device_detail.is_managed IS NULL
+    )
+    OR (
+      azure.signinlogs.properties.device_detail.is_compliant == false
+      AND azure.signinlogs.properties.device_detail.is_managed == false
+    )
+  )
+
+// aggregate by identity + client + resource posture
 | STATS
-    auth_count = count(*) by
-        target_time_window,
+    auth_count = COUNT(*),
+    first_seen = MIN(@timestamp),
+    last_seen = MAX(@timestamp),
+    src_ips = VALUES(source.ip),
+    src_asns = VALUES(source.as.organization.name),
+    countries = VALUES(source.geo.country_iso_code),
+    user_agents = VALUES(user_agent.original),
+    correlation_ids = VALUES(azure.signinlogs.properties.correlation_id),
+    session_ids = VALUES(azure.signinlogs.properties.session_id)
+  BY
    azure.signinlogs.properties.user_principal_name,
-        source.address,
-        message
+    azure.signinlogs.properties.app_display_name,
+    azure.signinlogs.properties.resource_display_name,
+    azure.signinlogs.properties.authentication_requirement

-// filter further for low auth counts by a particular principal name
-// indicating device code auth workflows are unusual for this user
-| WHERE auth_count < 5
+// surface low-volume / first-time patterns - rare combinations are highest interest
+| WHERE auth_count < 10
+| SORT first_seen DESC
+| LIMIT 100
 ```

 ## Notes

- Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Device Code Flow is typically reserved for IoT, kiosk, or embedded devices.
- Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using Device Code Flow. Unusual use by regular accounts may indicate compromise.
- Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.
- Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.
- Pivot on `azure.signinlogs.properties.original_transfer_method` to identify if the Device Code Flow was used in combination with refresh tokens, which may indicate session hijacking.
- Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, or bypass mechanisms.
- Review `azure.signinlogs.properties.applied_conditional_access_policies` to determine if Conditional Access rules were applied, bypassed, or enforced during authentication.
- Check `azure.signinlogs.properties.device_detail.browser` and `user_agent.original` to verify if the user agent aligns with expected authentication behavior for this user or device type.
- If authentication was successful, pivot on `azure.signinlogs.properties.user_principal_name` to check for additional high-risk activities within the same session.
- Monitor for multiple authentication attempts within a short period from different IPs or ASNs, which may indicate adversarial testing or phishing-based compromise.
+- Microsoft Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e) is intentionally excluded — its device code flows almost always represent legitimate device-join / PRT acquisition. Adversary-driven device code phishing in production telemetry overwhelmingly uses Azure CLI / PowerShell / Graph CLI / Windows Terminal / VS Code as the requesting client.
+- Device code flow IS MFA-capable. Single-factor authentication on a device code grant is meaningful — it indicates either no Conditional Access policy targeted the resource, or the policy excludes device code, or no MFA baseline exists. Treat SFA on these grants as elevated risk, not expected behavior.
+- Missing `azure.signinlogs.properties.device_detail.*` fields indicate the authenticating endpoint is not Entra-joined, not Intune-enrolled, and not compliant — consistent with an attacker-controlled host completing the flow on the victim's behalf.
+- Pivot on `azure.signinlogs.properties.correlation_id`, `session_id`, and `unique_token_identifier` to correlate with subsequent Microsoft Graph activity (`azure.graphactivitylogs-*`), Azure activity (`azure.activitylogs-*`), and M365 audit events (`o365.audit-*`) to map post-compromise actions on the same identity.
+- Pivot on `azure.signinlogs.properties.user_id` against detection alerts on the same cluster to surface stacked alerts on the identity (rare app ID, rare authentication requirement, OAuth phishing first-party app, high-risk sign-in).
+- Investigate `user_agent.original` for forged or anomalous tokens (offensive tooling like python-requests, httpx, fasthttp, kali, axiom, nuclei, msal-python, or deliberately silly forged UAs are high-confidence indicators). Real browsers in standard form are not exonerating but do reduce immediate priority.
+- Inspect `source.as.organization.name` and `source.geo.country_iso_code` against the user's normal sign-in pattern. Sudden non-Microsoft hosting providers, residential VPNs, or unexpected geographies on these flows are high-priority.
+- Microsoft-owned ASNs (MICROSOFT-CORP-MSN-AS-BLOCK / AS8075) are excluded by default but can be re-enabled for tenants where Azure-hosted infrastructure abuse is in scope.
+- If results return zero rows, expand the lookback window or remove the resource_display_name filter to surface device code grants against unexpected resources.

 ## MITRE ATT&CK Techniques

 - [T1078.004](https://attack.mitre.org/techniques/T1078/004)
 - [T1528](https://attack.mitre.org/techniques/T1528)
+- [T1566.002](https://attack.mitre.org/techniques/T1566/002)

 ## License

@@ -1,55 +1,116 @@
 [hunt]
 author = "Elastic"
 description = """
-This hunting query identifies Azure Entra sign-in logs where the authentication method used was Device Code Flow, which is often used for kiosk or IoT devices. If this authentication method is observed from a user or device that does not typically use it, it may indicate a potential compromise. This technique is common by adversaries conducting phishing campaigns with pre-registered device codes sent to targeted users whom are then redirected to Microsoft's device code authentication endpoint to initiation the workflow. The query filters for unusual authentication attempts based on the user principal name and the source address.
+This hunt identifies high-fidelity device code phishing follow-on activity in Azure Entra ID sign-in logs. Real device code phishing campaigns (Storm-2372, APT29, AADInternals/ROADTools/TokenSmith tradecraft) succeed when a victim completes the OAuth device code flow, granting the adversary tokens for first-party Microsoft client applications such as Microsoft Azure CLI, Microsoft Azure PowerShell, Microsoft Graph Command Line Tools, Windows Terminal, or Visual Studio Code. The adversary then exchanges those tokens against high-value resources — Azure Resource Manager (cloud control plane), Microsoft Graph (directory and mailbox enumeration), Office 365 Exchange Online (mail), or Windows Azure AD (directory) — typically from an unmanaged, non-inventoried device.
+
+This query filters away the dominant benign patterns observed in production telemetry: Microsoft Authentication Broker → Device Registration Service flows (legitimate device join), incoming `primaryRefreshToken` exchanges (post-auth refresh, not initial access), Microsoft-owned source ASNs, and well-managed compliant devices. What remains is the suspicious shape: a first-party CLI client + high-value resource + single-factor or no conditional access + missing device detail + non-Microsoft source ASN.
 """
 integration = ["azure"]
 uuid = "b54528ca-eec8-11ef-b314-f661ea17fbce"
-name = "Azure Entra Device Code Authentication from Unusual Principal"
+name = "Entra ID Device Code Authentication from Unusual Principal"
 language = ["ES|QL"]
 license = "Elastic License v2"
 notes = [
-    "Review `azure.signinlogs.properties.authentication_protocol` to verify the authentication method used. Device Code Flow is typically reserved for IoT, kiosk, or embedded devices.",
-    "Investigate `azure.signinlogs.properties.user_principal_name` to determine whether the user typically authenticates using Device Code Flow. Unusual use by regular accounts may indicate compromise.",
-    "Analyze `source.as.organization.name` to determine if the request originated from a known hosting provider, VPN, or anonymization service that is unexpected in your environment.",
-    "Examine `source.address` to check if the IP address is associated with previous suspicious activity, high-risk geolocations, or known threat infrastructure.",
-    "Pivot on `azure.signinlogs.properties.original_transfer_method` to identify if the Device Code Flow was used in combination with refresh tokens, which may indicate session hijacking.",
-    "Correlate findings with `azure.signinlogs.properties.authentication_processing_details` to identify possible legacy protocol usage, token replay, or bypass mechanisms.",
-    "Review `azure.signinlogs.properties.applied_conditional_access_policies` to determine if Conditional Access rules were applied, bypassed, or enforced during authentication.",
-    "Check `azure.signinlogs.properties.device_detail.browser` and `user_agent.original` to verify if the user agent aligns with expected authentication behavior for this user or device type.",
-    "If authentication was successful, pivot on `azure.signinlogs.properties.user_principal_name` to check for additional high-risk activities within the same session.",
-    "Monitor for multiple authentication attempts within a short period from different IPs or ASNs, which may indicate adversarial testing or phishing-based compromise."
+    "Microsoft Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e) is intentionally excluded — its device code flows almost always represent legitimate device-join / PRT acquisition. Adversary-driven device code phishing in production telemetry overwhelmingly uses Azure CLI / PowerShell / Graph CLI / Windows Terminal / VS Code as the requesting client.",
+    "Device code flow IS MFA-capable. Single-factor authentication on a device code grant is meaningful — it indicates either no Conditional Access policy targeted the resource, or the policy excludes device code, or no MFA baseline exists. Treat SFA on these grants as elevated risk, not expected behavior.",
+    "Missing `azure.signinlogs.properties.device_detail.*` fields indicate the authenticating endpoint is not Entra-joined, not Intune-enrolled, and not compliant — consistent with an attacker-controlled host completing the flow on the victim's behalf.",
+    "Pivot on `azure.signinlogs.properties.correlation_id`, `session_id`, and `unique_token_identifier` to correlate with subsequent Microsoft Graph activity (`azure.graphactivitylogs-*`), Azure activity (`azure.activitylogs-*`), and M365 audit events (`o365.audit-*`) to map post-compromise actions on the same identity.",
+    "Pivot on `azure.signinlogs.properties.user_id` against detection alerts on the same cluster to surface stacked alerts on the identity (rare app ID, rare authentication requirement, OAuth phishing first-party app, high-risk sign-in).",
+    "Investigate `user_agent.original` for forged or anomalous tokens (offensive tooling like python-requests, httpx, fasthttp, kali, axiom, nuclei, msal-python, or deliberately silly forged UAs are high-confidence indicators). Real browsers in standard form are not exonerating but do reduce immediate priority.",
+    "Inspect `source.as.organization.name` and `source.geo.country_iso_code` against the user's normal sign-in pattern. Sudden non-Microsoft hosting providers, residential VPNs, or unexpected geographies on these flows are high-priority.",
+    "Microsoft-owned ASNs (MICROSOFT-CORP-MSN-AS-BLOCK / AS8075) are excluded by default but can be re-enabled for tenants where Azure-hosted infrastructure abuse is in scope.",
+    "If results return zero rows, expand the lookback window or remove the resource_display_name filter to surface device code grants against unexpected resources."
 ]
-mitre = ['T1078.004','T1528']
+mitre = ['T1078.004','T1528','T1566.002']
 query = [
 '''
 FROM logs-azure.signinlogs-*

-// query Azure Entra Sign-in logs
+// scope to Entra ID sign-in events
 | WHERE @timestamp > now() - 14 day
-| WHERE event.dataset in ("azure.signinlogs")
-    and event.category == "authentication"
+  AND event.dataset == "azure.signinlogs"
+  AND event.category == "authentication"

-    // filter for device code workflows
-    // original transfer method indicates refresh tokens where device code was originally used
-    and (
-        azure.signinlogs.properties.authentication_protocol == "deviceCode" or
-        azure.signinlogs.properties.original_transfer_method == "Device code flow"
+// device code grant flow (initial or token exchange originating from device code)
+  AND (
+    azure.signinlogs.properties.authentication_protocol == "deviceCode"
+    OR azure.signinlogs.properties.original_transfer_method == "Device code flow"
  )

-// bucket authentication attempts by each day
-| EVAL target_time_window = DATE_TRUNC(1 days, @timestamp)
+// successful authentications only
+  AND azure.signinlogs.properties.status.error_code == 0

-// aggregate authentication attempts by user principal name, source address, and message
+// drop Microsoft Authentication Broker - benign device-join flow
+  AND azure.signinlogs.properties.app_id != "29d9ed98-a469-4536-ade2-f981bc1d605e"
+
+// drop Device Registration Service as resource - benign device-join target
+  AND azure.signinlogs.properties.resource_id != "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9"
+
+// drop primaryRefreshToken / refreshToken exchanges - we want initial token issuance, not refresh
+  AND (
+    azure.signinlogs.properties.incoming_token_type IS NULL
+    OR azure.signinlogs.properties.incoming_token_type NOT IN ("primaryRefreshToken", "refreshToken")
+  )
+
+// focus on first-party Microsoft CLI / dev tooling commonly abused in device code phishing
+  AND azure.signinlogs.properties.app_id IN (
+    "04b07795-8ddb-461a-bbee-02f9e1bf7b46",  // Microsoft Azure CLI
+    "1950a258-227b-4e31-a9cf-717495945fc2",  // Microsoft Azure PowerShell
+    "14d82eec-204b-4c2f-b7e8-296a70dab67e",  // Microsoft Graph Command Line Tools
+    "245e1dee-74ef-4257-a8c8-8208296e1dfd",  // Windows Terminal
+    "aebc6443-996d-45c2-90f0-388ff96faa56",  // Visual Studio Code
+    "1fec8e78-bce4-4aaf-ab1b-5451cc387264",  // Microsoft Teams
+    "d3590ed6-52b3-4102-aeff-aad2292ab01c",  // Microsoft Office
+    "ab9b8c07-8f02-4f72-87fa-80105867a763"   // OneDrive SyncEngine
+  )
+
+// focus on high-value target resources (cloud control plane, directory, mail, identity)
+  AND azure.signinlogs.properties.resource_id IN (
+    "797f4846-ba00-4fd7-ba43-dac1f8f63013",  // Azure Resource Manager
+    "00000003-0000-0000-c000-000000000000",  // Microsoft Graph
+    "00000002-0000-0ff1-ce00-000000000000",  // Office 365 Exchange Online
+    "00000002-0000-0000-c000-000000000000",  // Windows Azure Active Directory
+    "0000000a-0000-0000-c000-000000000000"   // Microsoft Intune
+  )
+
+// drop Microsoft-owned source ASNs (legitimate Azure-hosted operations)
+// re-enable if hunting Azure-infrastructure abuse
+  AND (source.as.number IS NULL OR source.as.number != 8075)
+
+// suspicious posture: SFA OR no conditional access OR missing device detail
+  AND (
+    azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
+    OR azure.signinlogs.properties.conditional_access_status == "notApplied"
+    OR (
+      azure.signinlogs.properties.device_detail.is_compliant IS NULL
+      AND azure.signinlogs.properties.device_detail.is_managed IS NULL
+    )
+    OR (
+      azure.signinlogs.properties.device_detail.is_compliant == false
+      AND azure.signinlogs.properties.device_detail.is_managed == false
+    )
+  )
+
+// aggregate by identity + client + resource posture
 | STATS
-    auth_count = count(*) by
-        target_time_window,
+    auth_count = COUNT(*),
+    first_seen = MIN(@timestamp),
+    last_seen = MAX(@timestamp),
+    src_ips = VALUES(source.ip),
+    src_asns = VALUES(source.as.organization.name),
+    countries = VALUES(source.geo.country_iso_code),
+    user_agents = VALUES(user_agent.original),
+    correlation_ids = VALUES(azure.signinlogs.properties.correlation_id),
+    session_ids = VALUES(azure.signinlogs.properties.session_id)
+  BY
    azure.signinlogs.properties.user_principal_name,
-        source.address,
-        message
+    azure.signinlogs.properties.app_display_name,
+    azure.signinlogs.properties.resource_display_name,
+    azure.signinlogs.properties.authentication_requirement

-// filter further for low auth counts by a particular principal name
-// indicating device code auth workflows are unusual for this user
-| WHERE auth_count < 5
+// surface low-volume / first-time patterns - rare combinations are highest interest
+| WHERE auth_count < 10
+| SORT first_seen DESC
+| LIMIT 100
 '''
 ]
@@ -18,6 +18,7 @@ This technique is useful for identifying phishing campaigns, misconfigured infra

 ```sql
 FROM logs-* METADATA _score
+| WHERE @timestamp > now() - 30 day
 | WHERE (
    url.domain IS NOT NULL OR
    url.original IS NOT NULL OR
@@ -32,10 +32,10 @@ Here are the queries currently available:

 ## azure
 - [Azure Entra Authentication Attempts from Abused Hosting Service Providers](./azure/docs/entra_authentication_attempts_from_abused_hosting_service_providers.md) (ES|QL)
- [Azure Entra Device Code Authentication from Unusual Principal](./azure/docs/entra_device_code_authentication_from_unusual_principal.md) (ES|QL)
 - [Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins](./azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md) (ES|QL)
 - [Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users](./azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md) (ES|QL)
 - [Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents](./azure/docs/entra_authentication_attempts_behind_rare_user_agents.md) (ES|QL)
+- [Entra ID Device Code Authentication from Unusual Principal](./azure/docs/entra_device_code_authentication_from_unusual_principal.md) (ES|QL)
 - [Microsoft Entra ID Rare Service Principal Activity from Multiple IPs](./azure/docs/entra_rare_actions_by_service_principal.md) (ES|QL)
 - [Microsoft Entra ID Uncommon IP Adding Credentials to Service Principal](./azure/docs/entra_service_principal_credentials_added_to_rare_app.md) (ES|QL)
 - [Microsoft Entra Infrequent Suspicious OData Client Requests](./azure/docs/entra_suspicious_odata_client_requests.md) (ES|QL)
@@ -591,7 +591,7 @@ windows:
    mitre:
    - T1047
  1c7be6db-12eb-4281-878d-b6abe0454f36:
-    name: DNS Queries via LOLBins with Low Occurence Frequency
+    name: DNS Queries via LOLBins with Low Occurrence Frequency
    path: ./windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml
    mitre:
    - T1071
@@ -728,11 +728,12 @@ azure:
    mitre:
    - T1078.004
  b54528ca-eec8-11ef-b314-f661ea17fbce:
-    name: Azure Entra Device Code Authentication from Unusual Principal
+    name: Entra ID Device Code Authentication from Unusual Principal
    path: ./azure/queries/entra_device_code_authentication_from_unusual_principal.toml
    mitre:
    - T1078.004
    - T1528
+    - T1566.002
  a9281116-fde0-11ef-9ee5-f661ea17fbcd:
    name: Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins
    path: ./azure/queries/entra_excessive_non_interactive_sfa_sign_ins_across_users.toml