From a0d98ff38a48a0feabb1ac82cedecc97cdba1c8d Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 14 Oct 2024 12:29:33 +0100
Subject: [PATCH 1/6] Create
 credential_access_first_time_seen_device_code_auth.toml

---
 ...cess_first_time_seen_device_code_auth.toml | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
new file mode 100644
index 00000000000..b552bb0e221
--- /dev/null
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2024/10/14"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2024/10/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Time Seen User Auth via DeviceCode Protocol"
+references =[
+    "https://aadinternals.com/post/phishing/", 
+    "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/"
+]
+risk_score = 47
+rule_id = "af22d970-7106-45b4-b5e3-460d15333727"
+setup = """
+This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.
+"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Credential Access",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+ event.dataset:azure.signinlogs and event.outcome:success and azure.signinlogs.properties.authentication_protocol:deviceCode
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1528"
+name = "Steal Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1528/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["azure.signinlogs.properties.user_principal_name"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

From c8dfd1583fa9f8c455b928f3718477afe7417eb1 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 14 Oct 2024 12:33:11 +0100
Subject: [PATCH 2/6] Update
 credential_access_first_time_seen_device_code_auth.toml

---
 .../credential_access_first_time_seen_device_code_auth.toml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
index b552bb0e221..f3a35a58390 100644
--- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -7,7 +7,7 @@ updated_date = "2024/10/14"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).
+Identifies when a user is observed for the first time in the last 10 days aauthenticating using deviceCode protocol. The device code authentication flow is used by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
 """
 from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]

From a7a532a6d32db4199186049376690ab26491009e Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 14 Oct 2024 12:34:53 +0100
Subject: [PATCH 3/6] Update
 credential_access_first_time_seen_device_code_auth.toml

---
 .../credential_access_first_time_seen_device_code_auth.toml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
index f3a35a58390..e8734d7025f 100644
--- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -5,9 +5,9 @@ maturity = "production"
 updated_date = "2024/10/14"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "Matteo Potito Giorgio"]
 description = """
-Identifies when a user is observed for the first time in the last 10 days aauthenticating using deviceCode protocol. The device code authentication flow is used by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
+Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.
 """
 from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]

From 6783b8eb94d93c7d1478a39b39a8bd01e7c59da9 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 11 Nov 2024 12:48:21 +0000
Subject: [PATCH 4/6] Update
 rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 .../credential_access_first_time_seen_device_code_auth.toml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
index e8734d7025f..ac7abe12d8c 100644
--- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -13,7 +13,7 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "First Time Seen User Auth via DeviceCode Protocol"
+name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
 references =[
     "https://aadinternals.com/post/phishing/", 
     "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/"

From a9218df3767569b0a0e9bd894d52cd68b22253e2 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 11 Nov 2024 12:48:29 +0000
Subject: [PATCH 5/6] Update
 rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 .../credential_access_first_time_seen_device_code_auth.toml   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
index ac7abe12d8c..9ed5d5a6514 100644
--- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -35,7 +35,9 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
- event.dataset:azure.signinlogs and event.outcome:success and azure.signinlogs.properties.authentication_protocol:deviceCode
+ event.dataset:(azure.activitylogs or azure.signinlogs)
+     (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode)
+     and event.outcome:success
 '''
 
 

From cf62a4ca1f1bdd339ca1393f6690bbe5a422a0f2 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 11 Nov 2024 12:52:58 +0000
Subject: [PATCH 6/6] Update
 credential_access_first_time_seen_device_code_auth.toml

---
 .../credential_access_first_time_seen_device_code_auth.toml  | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
index 9ed5d5a6514..76341ee2959 100644
--- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -35,9 +35,8 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
- event.dataset:(azure.activitylogs or azure.signinlogs)
-     (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode)
-     and event.outcome:success
+ event.dataset:(azure.activitylogs or azure.signinlogs) and 
+     (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode) and event.outcome:success
 '''