[Rule Tuning] Entra ID OAuth PRT Issuance to Non-Managed Device Detected

terrancedejesus · terrancedejesus · commit e9b91707091a · 2025-12-15T11:14:52.000-05:00
Fixes #5463
diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml
@@ -2,13 +2,13 @@
 creation_date = "2025/06/24"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2025/12/15"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies when a user signs in with a refresh token using the Microsoft Authentication Broker (MAB) client, followed by
-a Primary Refresh Token (PRT) sign-in from the same device within 1 hour. This pattern may indicate that an attacker has
+a Primary Refresh Token (PRT) sign-in from the same device within 1 hour from an unmanaged device. This pattern may indicate that an attacker has
 successfully registered a device using ROADtx and transitioned from short-term token access to long-term persistent
 access via PRTs. Excluding access to the Device Registration Service (DRS) ensures the PRT is being used beyond
 registration, often to access Microsoft 365 resources like Outlook or SharePoint.
@@ -18,10 +18,10 @@ index = ["filebeat-*", "logs-azure.signinlogs-*"]
 interval = "30m"
 language = "eql"
 license = "Elastic License v2"
-name = "Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected"
+name = "Entra ID OAuth PRT Issuance to Non-Managed Device Detected"
 note = """## Triage and analysis
 
-### Investigating Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected
+### Investigating Entra ID OAuth PRT Issuance to Non-Managed Device Detected
 
 This rule identifies a sequence where a Microsoft Entra ID user signs in using a refresh token issued to the Microsoft Authentication Broker (MAB), followed by a sign-in using a Primary Refresh Token (PRT) from the same device. This behavior is uncommon for normal user activity and strongly suggests adversarial behavior, particularly when paired with OAuth phishing and device registration tools like ROADtx. The use of PRT shortly after a refresh token sign-in typically indicates the attacker has obtained device trust and is now using the PRT to impersonate a fully compliant user+device pair.
 
@@ -83,7 +83,12 @@ sequence by azure.signinlogs.properties.user_id, azure.signinlogs.properties.dev
     event.dataset == "azure.signinlogs" and
     azure.signinlogs.properties.incoming_token_type == "primaryRefreshToken" and
     azure.signinlogs.properties.resource_display_name != "Device Registration Service" and
-    azure.signinlogs.result_signature == "SUCCESS"
+    azure.signinlogs.result_signature == "SUCCESS" and
+    azure.signinlogs.properties.device_detail.is_managed != true
+    and not (
+        azure.signinlogs.properties.app_display_name == "Windows Sign In" or
+        user_agent.original == "Windows-AzureAD-Authentication-Provider/1.0"
+    )
   ]
 '''
 
