Elastic Security Detection Rules

Microsoft Entra ID SharePoint Access for User Principal via Auth Broker

Last updated 7 days ago on 2025-05-07
Created 13 days ago on 2025-05-01

About

This rule detects non-interactive authentication activity against SharePoint Online (`Office 365 SharePoint Online`) by a user principal via the `Microsoft Authentication Broker` application. The session leverages a refresh token or Primary Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios.
Tags
Domain: CloudUse Case: Identity and Access AuditTactic: CollectionData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Collection (TA0009)(opens in a new tab or window)

Data from Information Repositories (T1213)(opens in a new tab or window)

False Positive Examples
Legitimate non-interactive access to SharePoint Online via the Microsoft Authentication Broker may occur in enterprise environments, especially with MDM solutions or automated scripts. However, this should be explicitly allowed and monitored. Some enterprise MDM or brokered flows may use refresh tokens legitimately (especially with hybrid/Azure AD joined devices). Automated scripts for legitimate tasks (e.g., reporting, backups) might use `python-requests`, though this should be explicitly allowed. If the user is a developer or automation engineer, validate if this behavior was for testing purposes.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.signinlogs-*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset: "azure.signinlogs"
    and azure.signinlogs.properties.app_id: "29d9ed98-a469-4536-ade2-f981bc1d605e"
    and azure.signinlogs.properties.resource_id: "00000003-0000-0ff1-ce00-000000000000"
    and azure.signinlogs.identity: *
    and azure.signinlogs.properties.user_principal_name: *
    and azure.signinlogs.properties.incoming_token_type: ("refreshToken" or "primaryRefreshToken")
    and azure.signinlogs.properties.is_interactive: false

Install detection rules in Elastic Security

Detect Microsoft Entra ID SharePoint Access for User Principal via Auth Broker in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).