Unusual ROPC Login Attempt by User Principal

Last updated 2 months ago on 2025-07-02

Created 2 months ago on 2025-07-02

About

Detects unusual resource owner password credential (ROPC) login attempts by a user principal in Microsoft Entra ID. ROPC is a legacy authentication flow that allows applications to obtain tokens by directly providing user credentials. This method is less secure and can be exploited by adversaries to gain access to user accounts without requiring multi-factor authentication (MFA), especially during enumeration or password spraying. This is a New Terms rule that identifies when user principals are involved in ROPC login attempts, not seen before in the last 10 days, indicating potential abuse or unusual activity.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsUse Case: Identity and Access AuditTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.signinlogs-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: "azure.signinlogs" and
    azure.signinlogs.properties.authentication_protocol: "ropc" and
    azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication" and
    azure.signinlogs.properties.user_type: "Member" and
    event.outcome: "success"

Install detection rules in Elastic Security

Detect Unusual ROPC Login Attempt by User Principal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).