[New] First Time Seen User Auth via DeviceCode Protocol (#4153)

Samirbous · shashank-elastic · terrancedejesus · web-flow · commit f36845318e57 · 2024-11-11T13:04:18.000Z
* Create credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus &lt;99630311+terrancedejesus@users.noreply.github.com&gt;

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus &lt;99630311+terrancedejesus@users.noreply.github.com&gt;

* Update credential_access_first_time_seen_device_code_auth.toml

---------

Co-authored-by: shashank-elastic &lt;91139415+shashank-elastic@users.noreply.github.com&gt;
Co-authored-by: Terrance DeJesus &lt;99630311+terrancedejesus@users.noreply.github.com&gt;
diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2024/10/14"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2024/10/14"
+
+[rule]
+author = ["Elastic", "Matteo Potito Giorgio"]
+description = """
+Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
+references =[
+    "https://aadinternals.com/post/phishing/", 
+    "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/"
+]
+risk_score = 47
+rule_id = "af22d970-7106-45b4-b5e3-460d15333727"
+setup = """
+This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.
+"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Credential Access",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+ event.dataset:(azure.activitylogs or azure.signinlogs) and 
+     (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode) and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1528"
+name = "Steal Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1528/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["azure.signinlogs.properties.user_principal_name"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
