Elastic Security Detection Rules

Suspicious Microsoft OAuth Flow via Auth Broker to DRS

Last updated 21 days ago on 2025-06-11
Created 2 months ago on 2025-04-30

About

Identifies separate OAuth authorization flows in Microsoft Entra ID where the same user principal and session ID are observed across multiple IP addresses within a 5-minute window. These flows involve the Microsoft Authentication Broker (MAB) as the client application and the Device Registration Service (DRS) as the target resource. This pattern is highly indicative of OAuth phishing activity, where an adversary crafts a legitimate Microsoft login URL to trick a user into completing authentication and sharing the resulting authorization code, which is then exchanged for an access and refresh token by the attacker.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Entra IDData Source: Entra ID Sign-in LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Phishing (T1566)(opens in a new tab or window)

False Positive Examples
Legitimate device registrations using Microsoft Authentication Broker may occur during corporate enrollment scenarios or bulk provisioning, but it is uncommon for multiple source IPs to register the same identity across Microsoft Graph, Device Registration Service (DRS), and Azure Active Directory (AAD) in a short time span.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

azure(opens in a new tab or window)

Query
FROM logs-azure.signinlogs* metadata _id, _version, _index

// Filter for Microsoft Entra ID sign-in logs
| WHERE event.dataset == "azure.signinlogs"
    AND event.outcome == "success"
    AND azure.signinlogs.properties.user_type == "Member"
    AND azure.signinlogs.identity IS NOT NULL
    AND azure.signinlogs.properties.user_principal_name IS NOT NULL
    AND source.address IS NOT NULL

    // Filter for MAB as client (app_id) and DRS as resource (resource_id)
    AND azure.signinlogs.properties.app_id == "29d9ed98-a469-4536-ade2-f981bc1d605e" // MAB
    AND azure.signinlogs.properties.resource_id  == "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" // DRS

// Normalize timestamps into 30-minute detection windows
| EVAL target_time_window = DATE_TRUNC(30 minutes, @timestamp)

// Tag browser-based requests and extract session ID
| EVAL
    session_id = azure.signinlogs.properties.session_id,
    is_browser = CASE(
        TO_LOWER(azure.signinlogs.properties.device_detail.browser) RLIKE "(chrome|firefox|edge|safari).*", 1, 0
    )

| STATS
    // user & session identity
    user_display_name = VALUES(azure.signinlogs.properties.user_display_name),
    user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name),
    session_id = VALUES(azure.signinlogs.properties.session_id),
    unique_token_id = VALUES(azure.signinlogs.properties.unique_token_identifier),

    // geolocation
    city_name = VALUES(source.geo.city_name),
    country_name = VALUES(source.geo.country_name),
    region_name = VALUES(source.geo.region_name),
    source_ip = VALUES(source.address),
    ip_count = COUNT_DISTINCT(source.address),
    autonomous_system = VALUES(source.`as`.organization.name),

    // authentication context
    auth_protocol = VALUES(azure.signinlogs.properties.authentication_protocol),
    auth_requirement = VALUES(azure.signinlogs.properties.authentication_requirement),
    is_interactive = VALUES(azure.signinlogs.properties.is_interactive),

    // token & app context
    token_type = VALUES(azure.signinlogs.properties.incoming_token_type),
    token_session_status = VALUES(azure.signinlogs.properties.token_protection_status_details.sign_in_session_status),
    session_id_count = COUNT_DISTINCT(session_id),
    client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name),
    client_app_ids = VALUES(azure.signinlogs.properties.app_id),
    target_resource_ids = VALUES(azure.signinlogs.properties.resource_id),
    target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name),

    // tenant details
    app_owner_tenant_id = VALUES(azure.signinlogs.properties.app_owner_tenant_id),
    resource_owner_tenant_id = VALUES(azure.signinlogs.properties.resource_owner_tenant_id),

    // conditional access & risk signals
    conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status),
    risk_state = VALUES(azure.signinlogs.properties.risk_state),
    risk_level_aggregated = VALUES(azure.signinlogs.properties.risk_level_aggregated),

    // user agent & device
    browser = VALUES(azure.signinlogs.properties.device_detail.browser),
    os = VALUES(azure.signinlogs.properties.device_detail.operating_system),
    user_agent = VALUES(user_agent.original),
    has_browser = MAX(is_browser),

    auth_count = COUNT(*)
BY
    target_time_window,
    azure.signinlogs.properties.user_principal_name,
    session_id

| KEEP
    target_time_window, user_display_name, user_principal_name, session_id, unique_token_id,
    city_name, country_name, region_name, source_ip, ip_count, autonomous_system,
    auth_protocol, auth_requirement, is_interactive,
    token_type, token_session_status, session_id_count, client_app_display_name,
    client_app_ids, target_resource_ids, target_resource_display_name,
    app_owner_tenant_id, resource_owner_tenant_id,
    conditional_access_status, risk_state, risk_level_aggregated,
    browser, os, user_agent, has_browser, auth_count

| WHERE
    ip_count >= 2 AND
    session_id_count == 1 AND
    has_browser >= 1 AND
    auth_count >= 2

Install detection rules in Elastic Security

Detect Suspicious Microsoft OAuth Flow via Auth Broker to DRS in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).