Elastic Security Detection Rules

Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN

Last updated 4 days ago on 2026-05-26
Created 4 days ago on 2026-05-26

About

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a source autonomous system number (ASN) associated with VPN, residential proxy, or hosting egress commonly observed in OAuth phishing and adversary-in-the-middle device registration flows. This pattern can indicate device join or primary refresh token acquisition staged from attacker-controlled infrastructure after a user completes authentication.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsUse Case: Threat DetectionTactic: Initial AccessTactic: PersistenceLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

Phishing (T1566)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples
Users enrolling or joining devices while on corporate VPNs, consumer VPNs, or cloud egress that map to the listed ASNs may match. Legitimate mobile device management or bulk provisioning that uses the broker against Device Registration Service from the same networks can also trigger alerts. Baseline `source.as.organization.name` and successful broker-to-DRS sign-ins before tuning exclusions for approved ASNs or user groups.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.signinlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"azure.signinlogs" and event.action:"Sign-in activity" and
source.as.number:(
    399629 or 14061 or 136787 or 9009 or 45102 or 215540 or 29802 or 62240 or 204957 or 395092 or 393406 or 400940 or
    59711 or 132203
) and
azure.signinlogs.properties.app_display_name:"Microsoft Authentication Broker" and
azure.signinlogs.properties.resource_display_name:"Device Registration Service"

Install detection rules in Elastic Security

Detect Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).