Merge branch 'main' into rt_3

Author: shashank-elastic

detection_rules/etc/non-ecs-schema.json

@@ -184,7 +184,8 @@
   },
   "logs-azure.graphactivitylogs-*": {
     "azure.graphactivitylogs.properties.c_idtyp": "keyword",
-    "azure.graphactivitylogs.properties.user_principal_object_id": "keyword"
+    "azure.graphactivitylogs.properties.user_principal_object_id": "keyword",
+    "azure.graphactivitylogs.properties.requestUri": "keyword"
   },
    "logs-o365.audit-*": {
      "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword"

hunting/azure/docs/entra_suspicious_odata_client_requests.md

@@ -0,0 +1,79 @@
+# Microsoft Entra Infrequent Suspicious OData Client Requests
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Identifies infrequent OData client requests in Microsoft Entra ID. This behavior may indicate an adversary using a custom or Azure-managed app ID to authenticate on behalf of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. The OData client is used in ROADTools, a toolset leveraged by threat actors to automate OAuth and OIDC workflows in Microsoft Entra ID following phishing or token theft.
+
+- **UUID:** `0d3d2254-2b4a-11f0-a019-f661ea17fbcc`
+- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
+- **Language:** `[ES|QL]`
+- **Source File:** [Microsoft Entra Infrequent Suspicious OData Client Requests](../queries/entra_suspicious_odata_client_requests.toml)
+
+## Query
+
+```sql
+FROM logs-azure.auditlogs* METADATA _id, _index
+
+// Only Microsoft Entra ID audit logs
+| WHERE event.dataset == "azure.auditlogs"
+
+// Identify logs with the known suspicious OData user agent
+    AND azure.auditlogs.properties.additional_details.value LIKE "Microsoft.OData.Client/*"
+    AND azure.auditlogs.identity != "Device Registration Service"
+
+// Extract time window for pattern analysis
+| EVAL time_window = DATE_TRUNC(1d, @timestamp)
+
+// Normalize actor: prefer user UPN if available, else fallback to app name
+| EVAL actor = COALESCE(
+    azure.auditlogs.properties.initiated_by.user.userPrincipalName,
+    azure.auditlogs.properties.initiated_by.app.displayName,
+    "unknown"
+)
+
+// Keep core fields
+| KEEP @timestamp, actor, source.ip, azure.auditlogs.operation_name, azure.auditlogs.properties.activity_display_name, azure.auditlogs.identity, azure.auditlogs.properties.tenantId, azure.auditlogs.properties.initiated_by.app.servicePrincipalId, azure.auditlogs.properties.category, azure.auditlogs.properties.additional_details.value, time_window
+
+// Group by actor per day
+| STATS
+    count = COUNT(),
+    unique_ips = COUNT_DISTINCT(source.ip),
+    operations = VALUES(azure.auditlogs.operation_name),
+    identities = VALUES(azure.auditlogs.identity),
+    ips = VALUES(source.ip),
+    categories = VALUES(azure.auditlogs.properties.category),
+    clients = VALUES(azure.auditlogs.properties.additional_details.value)
+  BY actor, time_window
+
+// Optional: prioritize less frequent actors
+| SORT count ASC
+```
+
+## Notes
+
+- Review `azure.auditlogs.properties.additional_details.value` for `Microsoft.OData.Client/*` User-Agent strings. This is uncommon for legitimate first-party Microsoft applications and may indicate use of ROADTools or custom automation to register a device and obtain a PRT.
+- Check `azure.auditlogs.properties.initiated_by` for both `user` and `app` fields. The presence of both may suggest an OAuth on-behalf-of (OBO) flow, where the app is acting with delegated permissions from a phished user token.
+- Review `azure.auditlogs.properties.activity_display_name` and `operation_name` for device registration operations like `Add device` or `Add registered owner to device`. When combined with suspicious user-agents, this may indicate unauthorized device registration.
+- Review `azure.auditlogs.identity` for operations performed by `Device Registration Service`. This service name is commonly associated with device join flows that, if abused, may enable persistence via PRT acquisition.
+- Correlate with `azure.signinlogs` for sign-ins using the same `correlation_id` or `userPrincipalName`. Look for signs of previous OAuth token issuance or multi-geo IP behavior surrounding the device registration.
+- Investigate whether the device registered (under `azure.auditlogs.properties.target_resources`) corresponds to known or authorized endpoints. Devices with names like `DESKTOP-ATTACKER1` or unexpected OS versions may indicate rogue joins.
+- The source IP is likely to be Microsoft-managed infrastructure as requests are proxied through Azure services. Pivoting into which user principal the request is targeting and events leading up to the request may provide additional context.
+
+## MITRE ATT&CK Techniques
+
+- [T1078.004](https://attack.mitre.org/techniques/T1078/004)
+- [T1550.001](https://attack.mitre.org/techniques/T1550/001)
+- [T1098.005](https://attack.mitre.org/techniques/T1098/005)
+- [T1071.001](https://attack.mitre.org/techniques/T1071/001)
+- [T1556.006](https://attack.mitre.org/techniques/T1556/006)
+
+## References
+
+- https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/
+
+## License
+
+- `Elastic License v2`

hunting/azure/queries/entra_suspicious_odata_client_requests.toml

@@ -0,0 +1,66 @@
+[hunt]
+author = "Elastic"
+description = """
+Identifies infrequent OData client requests in Microsoft Entra ID. This behavior may indicate an adversary using a custom or Azure-managed app ID to authenticate on behalf of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. The OData client is used in ROADTools, a toolset leveraged by threat actors to automate OAuth and OIDC workflows in Microsoft Entra ID following phishing or token theft.
+"""
+integration = ["azure"]
+uuid = "0d3d2254-2b4a-11f0-a019-f661ea17fbcc"
+name = "Microsoft Entra Infrequent Suspicious OData Client Requests"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "Review `azure.auditlogs.properties.additional_details.value` for `Microsoft.OData.Client/*` User-Agent strings. This is uncommon for legitimate first-party Microsoft applications and may indicate use of ROADTools or custom automation to register a device and obtain a PRT.",
+    "Check `azure.auditlogs.properties.initiated_by` for both `user` and `app` fields. The presence of both may suggest an OAuth on-behalf-of (OBO) flow, where the app is acting with delegated permissions from a phished user token.",
+    "Review `azure.auditlogs.properties.activity_display_name` and `operation_name` for device registration operations like `Add device` or `Add registered owner to device`. When combined with suspicious user-agents, this may indicate unauthorized device registration.",
+    "Review `azure.auditlogs.identity` for operations performed by `Device Registration Service`. This service name is commonly associated with device join flows that, if abused, may enable persistence via PRT acquisition.",
+    "Correlate with `azure.signinlogs` for sign-ins using the same `correlation_id` or `userPrincipalName`. Look for signs of previous OAuth token issuance or multi-geo IP behavior surrounding the device registration.",
+    "Investigate whether the device registered (under `azure.auditlogs.properties.target_resources`) corresponds to known or authorized endpoints. Devices with names like `DESKTOP-ATTACKER1` or unexpected OS versions may indicate rogue joins.",
+    "The source IP is likely to be Microsoft-managed infrastructure as requests are proxied through Azure services. Pivoting into which user principal the request is targeting and events leading up to the request may provide additional context."
+]
+mitre = [
+    "T1078.004",
+    "T1550.001",
+    "T1098.005",
+    "T1071.001",
+    "T1556.006",
+]
+references = ["https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/"]
+query = [
+'''
+FROM logs-azure.auditlogs* METADATA _id, _index
+
+// Only Microsoft Entra ID audit logs
+| WHERE event.dataset == "azure.auditlogs"
+
+// Identify logs with the known suspicious OData user agent
+    AND azure.auditlogs.properties.additional_details.value LIKE "Microsoft.OData.Client/*"
+    AND azure.auditlogs.identity != "Device Registration Service"
+
+// Extract time window for pattern analysis
+| EVAL time_window = DATE_TRUNC(1d, @timestamp)
+
+// Normalize actor: prefer user UPN if available, else fallback to app name
+| EVAL actor = COALESCE(
+    azure.auditlogs.properties.initiated_by.user.userPrincipalName,
+    azure.auditlogs.properties.initiated_by.app.displayName,
+    "unknown"
+)
+
+// Keep core fields
+| KEEP @timestamp, actor, source.ip, azure.auditlogs.operation_name, azure.auditlogs.properties.activity_display_name, azure.auditlogs.identity, azure.auditlogs.properties.tenantId, azure.auditlogs.properties.initiated_by.app.servicePrincipalId, azure.auditlogs.properties.category, azure.auditlogs.properties.additional_details.value, time_window
+
+// Group by actor per day
+| STATS
+    count = COUNT(),
+    unique_ips = COUNT_DISTINCT(source.ip),
+    operations = VALUES(azure.auditlogs.operation_name),
+    identities = VALUES(azure.auditlogs.identity),
+    ips = VALUES(source.ip),
+    categories = VALUES(azure.auditlogs.properties.category),
+    clients = VALUES(azure.auditlogs.properties.additional_details.value)
+  BY actor, time_window
+
+// Optional: prioritize less frequent actors
+| SORT count ASC
+'''
+]

hunting/index.md

@@ -37,6 +37,7 @@ Here are the queries currently available:
 - [Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users](./azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md) (ES|QL)
 - [Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents](./azure/docs/entra_authentication_attempts_behind_rare_user_agents.md) (ES|QL)
 - [Microsoft Entra ID Credentials Added to Rare Service Principal](./azure/docs/entra_service_principal_credentials_added_to_rare_app.md) (ES|QL)
+- [Microsoft Entra Infrequent Suspicious OData Client Requests](./azure/docs/entra_suspicious_odata_client_requests.md) (ES|QL)
 
 
 ## linux

hunting/index.yml

@@ -757,3 +757,12 @@ azure:
     path: ./azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
     mitre:
     - T1098.001
+  0d3d2254-2b4a-11f0-a019-f661ea17fbcc:
+    name: Microsoft Entra Infrequent Suspicious OData Client Requests
+    path: ./azure/queries/entra_suspicious_odata_client_requests.toml
+    mitre:
+    - T1078.004
+    - T1550.001
+    - T1098.005
+    - T1071.001
+    - T1556.006

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.4"
+version = "1.2.5"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml

@@ -0,0 +1,122 @@
+[metadata]
+creation_date = "2025/05/06"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/05/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user
+principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT)
+to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as
+/me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal
+object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been
+seen doing this activity in the last 14 days.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
+note = """## Triage and analysis
+
+### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph
+
+This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.
+
+### Possible Investigation Steps:
+
+- `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal → Enterprise Applications → Search by App ID to determine app details, publisher, and consent status.
+- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content.
+- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).
+- `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity.
+- `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access.
+- `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services.
+- `http.request.method`: Determine intent based on HTTP method — `GET` (reading), `POST` (sending), `PATCH`/`DELETE` (modifying/removing messages).
+- `token_issued_at` and `@timestamp`: Determine how long the token has been active and whether access is ongoing or recent.
+- `azure.graphactivitylogs.properties.c_sid`: Use the session correlation ID to identify other related activity in the same session. This may help identify if the app is accessing multiple users' mailboxes or if the same user is accessing multiple apps.
+- Correlate with Microsoft Entra ID (`azure.auditlogs` and `azure.signinlogs`) to determine whether:
+  - The app was recently granted admin or user consent
+  - Risky sign-ins occurred just prior to or after mail access
+  - The same IP or app ID appears across multiple users
+
+### False Positive Analysis
+
+- New legitimate apps may appear after a user consents via OAuth. Developers, third-party tools, or IT-supplied utilities may access mail APIs if users consent.
+- Users leveraging Microsoft development environments (e.g., Visual Studio Code) may trigger this behavior with delegated `.default` permissions.
+- Admin-approved apps deployed via conditional access may trigger similar access logs if not previously seen in detection baselines.
+
+### Response and Remediation
+
+- If access is unauthorized or unexpected:
+  - Revoke the app's consent in Azure AD via the Enterprise Applications blade.
+  - Revoke user refresh tokens via Microsoft Entra or PowerShell.
+  - Investigate the user's session and alert them to possible phishing or OAuth consent abuse.
+- Review and restrict risky OAuth permissions in Conditional Access and App Governance policies.
+- Add known, trusted app IDs to a detection allowlist to reduce noise in the future.
+- Continue monitoring the app ID for additional usage across the tenant or from suspicious IPs.
+"""
+references = [
+    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
+    "https://github.com/dirkjanm/ROADtools",
+    "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",
+]
+risk_score = 47
+rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Graph",
+    "Data Source: Microsoft Graph Activity Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Collection",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "azure.graphactivitylogs" and
+azure.graphactivitylogs.properties.app_id: * and
+azure.graphactivitylogs.result_signature: 200 and
+azure.graphactivitylogs.properties.c_idtyp: "user" and
+azure.graphactivitylogs.properties.client_auth_method: 0 and
+http.request.method: (GET or POST or PUT or PATCH or DELETE) and (
+  url.path: (/v1.0/me/*cc or /v1.0/users/*) and
+  (
+    url.path: (*mail* or *messages* or *inbox*) or
+    azure.graphactivitylogs.properties.requestUri: (*mail* or *messages* or *inbox*)
+  ) or
+  azure.graphactivitylogs.properties.scopes: (
+    "Mail.Read" or "Mail.ReadWrite" or "Mail.Send" or "email"
+  )
+)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1114"
+name = "Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/"
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = [
+    "azure.graphactivitylogs.properties.app_id",
+    "azure.graphactivitylogs.properties.user_principal_object_id",
+]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+