[Rule Tuning] Entra ID OAuth Phishing via First-Party Microsoft Application #5584
Description
Link to Rule
Rule Tuning Type
None
Description
A lot of false positive alerts are generated for legitimate Microsoft apps/actions, for example:
Microsoft Office, app ID d3590ed6-52b3-4102-aeff-aad2292ab01c
Additional info on the topic:
https://learn.microsoft.com/en-us/answers/questions/2127841/migrate-service-principals-from-the-retiring-azure
"If you are seeing and entry about the "Microsoft Office" application (ID of d3590ed6-52b3-4102-aeff-aad2292ab01c), you can safely ignore that. This is a first-party (Microsoft) application, and is managed by Microsoft itself - nothing you can do about it. They should have not surface this entry to begin with."
https://techcommunity.microsoft.com/blog/microsoft-entra-blog/action-required-azure-ad-graph-api-retirement/4090533/replies/4355152
"Some Microsoft applications, including Microsoft Office, Microsoft Visual Studio Legacy, and Microsoft Intune, do not yet have an update available without Azure AD Graph API usage. For these, we will provide future Azure AD Graph API retirement blog updates when a replacement version is available. These apps will be granted extended access for Azure AD Graph and sufficient time will be given to update the applications when an update is made available."
Example Data
azure.signinlogs.properties.app_display_name Microsoft Office
azure.signinlogs.properties.app_id d3590ed6-52b3-4102-aeff-aad2292ab01c
azure.signinlogs.properties.authentication_details.authentication_step_result_detail MFA requirement satisfied by claim in the token