elastic · terrancedejesus · Oct 6, 2025
diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/03"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/06"
 
 [rule]
 author = ["Elastic"]
@@ -18,10 +18,10 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Entra ID OAuth User Impersonation Scope Detected"
+name = "Entra ID OAuth user_impersonation Scope for Unusual User and Client"
 note = """## Triage and Analysis
 
-### Investigating Suspicious Entra ID OAuth User Impersonation Scope Detected
+### Investigating Entra ID OAuth user_impersonation Scope for Unusual User and Client
 
 Identifies rare occurrences of OAuth workflow for a user principal that is single factor authenticated, with an OAuth scope containing `user_impersonation`, and a token issuer type of `AzureAD`. This rule is designed to detect suspicious
 OAuth user impersonation attempts in Microsoft Entra ID, particularly those involving the `user_impersonation` scope, which is often used by adversaries to gain unauthorized access to user accounts. The rule focuses on sign-in events where
@@ -82,9 +82,42 @@ event.dataset: azure.signinlogs and
     azure.signinlogs.properties.token_issuer_type: "AzureAD" and
     azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
     azure.signinlogs.properties.user_type: "Member" and
+    azure.signinlogs.properties.conditional_access_status: "notApplied" and
+    not user_agent.original: Mozilla*PKeyAuth/1.0 and
+    not azure.signinlogs.properties.device_detail.operating_system: (Ios* or Android*) and
     event.outcome: "success"
+    and not azure.signinlogs.properties.app_id: (
+        "a5f63c0-b750-4f38-a71c-4fc0d58b89e2" or
+        "6bc3b958-689b-49f5-9006-36d165f30e00" or
+        "66a88757-258c-4c72-893c-3e8bed4d6899" or
+        "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" or
+        "0000000c-0000-0000-c000-000000000000"
+    )
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "azure.correlation_id",
+    "azure.signinlogs.category",
+    "azure.signinlogs.identity",
+    "azure.signinlogs.properties.app_display_name",
+    "azure.signinlogs.properties.app_id",
+    "azure.signinlogs.properties.app_owner_tenant_id",
+    "azure.signinlogs.properties.authentication_requirement",
+    "azure.signinlogs.properties.client_credential_type",
+    "azure.signinlogs.properties.conditional_access_status",
+    "azure.signinlogs.properties.device_detail.operating_system",
+    "azure.signinlogs.properties.is_interactive",
+    "azure.signinlogs.properties.session_id",
+    "azure.signinlogs.properties.user_principal_name",
+    "azure.signinlogs.properties.user_type",
+    "azure.signinlogs.result_signature",
+    "azure.tenant_id",
+    "source.address",
+    "user.id"
+]
+
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"