diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml index d0b2c8b021f..a33f20f0894 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/03" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/10/06" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Entra ID OAuth User Impersonation Scope Detected" +name = "Entra ID OAuth user_impersonation Scope for Unusual User and Client" note = """## Triage and Analysis -### Investigating Suspicious Entra ID OAuth User Impersonation Scope Detected +### Investigating Entra ID OAuth user_impersonation Scope for Unusual User and Client Identifies rare occurrences of OAuth workflow for a user principal that is single factor authenticated, with an OAuth scope containing `user_impersonation`, and a token issuer type of `AzureAD`. This rule is designed to detect suspicious OAuth user impersonation attempts in Microsoft Entra ID, particularly those involving the `user_impersonation` scope, which is often used by adversaries to gain unauthorized access to user accounts. The rule focuses on sign-in events where @@ -82,9 +82,42 @@ event.dataset: azure.signinlogs and azure.signinlogs.properties.token_issuer_type: "AzureAD" and azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and azure.signinlogs.properties.user_type: "Member" and + azure.signinlogs.properties.conditional_access_status: "notApplied" and + not user_agent.original: Mozilla*PKeyAuth/1.0 and + not azure.signinlogs.properties.device_detail.operating_system: (Ios* or Android*) and event.outcome: "success" + and not azure.signinlogs.properties.app_id: ( + "a5f63c0-b750-4f38-a71c-4fc0d58b89e2" or + "6bc3b958-689b-49f5-9006-36d165f30e00" or + "66a88757-258c-4c72-893c-3e8bed4d6899" or + "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" or + "0000000c-0000-0000-c000-000000000000" + ) ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "azure.correlation_id", + "azure.signinlogs.category", + "azure.signinlogs.identity", + "azure.signinlogs.properties.app_display_name", + "azure.signinlogs.properties.app_id", + "azure.signinlogs.properties.app_owner_tenant_id", + "azure.signinlogs.properties.authentication_requirement", + "azure.signinlogs.properties.client_credential_type", + "azure.signinlogs.properties.conditional_access_status", + "azure.signinlogs.properties.device_detail.operating_system", + "azure.signinlogs.properties.is_interactive", + "azure.signinlogs.properties.session_id", + "azure.signinlogs.properties.user_principal_name", + "azure.signinlogs.properties.user_type", + "azure.signinlogs.result_signature", + "azure.tenant_id", + "source.address", + "user.id" +] + [[rule.threat]] framework = "MITRE ATT&CK"