First Occurrence of Entra ID Auth via DeviceCode Protocol

Last updated a month ago on 2024-10-14

Created a month ago on 2024-10-14

About

Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.

Tags

Domain: CloudData Source: AzureData Source: Microsoft Entra IDUse Case: Identity and Access AuditTactic: Credential Access

Severity

medium

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Steal Application Access Token (T1528)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.signinlogs-*logs-azure.activitylogs-*
Related Integrations: azure(opens in a new tab or window)
Query

 event.dataset:(azure.activitylogs or azure.signinlogs) and 
     (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode) and event.outcome:success

Install detection rules in Elastic Security

Detect First Occurrence of Entra ID Auth via DeviceCode Protocol in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).