Entra ID User Signed In from Unusual Device
editEntra ID User Signed In from Unusual Device
editIdentifies when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing the device used for the sign-in against the user’s typical device usage patterns. Adversaries may create and register a new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-azure.signinlogs-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Cloud
- Domain: Identity
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Azure
- Data Source: Microsoft Entra ID
- Data Source: Microsoft Entra ID Sign-in Logs
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Entra ID User Signed In from Unusual Device
This rule detects when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing the device used for the sign-in against the user’s typical device usage patterns. Adversaries may create and register a new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
Possible investigation steps
-
Review the
azure.signinlogs.properties.user_principal_namefield to identify the user associated with the sign-in. -
Check the
azure.signinlogs.properties.device_detail.device_idfield to identify the device used for the sign-in. -
Review
azure.signinlogs.properties.incoming_token_typeto determine what tpe of security token was used for the sign-in, such as a Primary Refresh Token (PRT). -
Examine
azure.signinlogs.categoryto determine if these were non-interactive or interactive sign-ins. -
Check the geolocation of the sign-in by reviewing
source.geo.country_nameandsource.geo.city_nameto identify the location of the device used for the sign-in. If these are unusual for the user, it may indicate a potential compromise. -
Review
azure.signinlogs.properties.app_idto determine which client application was used for the sign-in. If the application is not recognized or expected, it may indicate unauthorized access. Adversaries use first-party client IDs to blend in with legitimate traffic. -
Examine
azure.signinlogs.properties.resource_idto determine what resource the security token has in scope and/or is requesting access to. If the resource is not recognized or expected, it may indicate unauthorized access. Excessive access to Graph API is common post-compromise behavior. -
Review the identity protection risk status by checking
azure.signinlogs.properties.risk_levelandazure.signinlogs.properties.risk_detailto determine if the sign-in was flagged as risky by Entra ID Protection.
False positive analysis
- Legitimate users may sign in from new devices, such as when using a new laptop or mobile device. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users or device IDs.
- Environments where users frequently change devices, such as in a corporate setting with rotating hardware, may generate false positives.
- Users may use both an endpoint and mobile device for sign-ins, which could trigger this rule.
Response and remediation
- If the sign-in is confirmed to be suspicious or unauthorized, take immediate action to revoke the access token and prevent further access.
- Disable the user account temporarily to prevent any potential compromise or unauthorized access.
- Review the user’s recent sign-in activity and access patterns to identify any potential compromise or unauthorized access.
- If the user account is compromised, initiate a password reset and enforce multi-factor authentication (MFA) for the user.
- Review the conditional access policies in place to ensure they are sufficient to prevent unauthorized access to sensitive resources.
-
Identify the registered Entra ID device by reviewing
azure.signinlogs.properties.device_detail.display_nameand confirm it is expected for the user or organization. If it is not expected, consider removing the device registration. - Consider adding exceptions for verified devices that are known to be used by the user to reduce false-positives.
Setup
editRequired Microsoft Entra ID Sign-In Logs
This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to be enabled and configured to collect audit and activity logs via Azure Event Hub.
Rule query
editevent.dataset: "azure.signinlogs" and
event.category: "authentication" and
azure.signinlogs.properties.user_type: "Member" and
azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
not azure.signinlogs.properties.device_detail.device_id: "" and
azure.signinlogs.properties.user_principal_name: *
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
-
Sub-technique:
- Name: Device Registration
- ID: T1098.005
- Reference URL: https://attack.mitre.org/techniques/T1098/005/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/