Elastic Security Detection Rules

Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent

Last updated 3 days ago on 2026-05-27
Created 3 days ago on 2026-05-27

About

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates is using a user agent that is not consistent with common browser, mobile, or Windows platform authentication clients. Adversary-in-the-middle and OAuth phishing tooling often presents scripted or relayed user agents (for example Node.js, Python, or generic HTTP libraries) while still targeting first-party resources through the broker.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsUse Case: Threat DetectionTactic: Initial AccessTactic: Credential AccessLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Phishing (T1566)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

Steal Web Session Cookie (T1539)(external, opens in a new tab or window)

False Positive Examples
Legitimate automation, SDKs, or custom applications that obtain tokens through the Microsoft Authentication Broker against Graph, Azure AD, or Device Registration Service may use non-browser user agents. Baseline approved service principals, managed identities, and developer tooling before tuning exclusions for known automation patterns.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.signinlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"azure.signinlogs" and event.action:"Sign-in activity" and event.outcome:(success or Success) and 
(azure.signinlogs.properties.app_display_name:"Microsoft Authentication Broker" or azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e") and
user_agent.original:(* and not (Mozilla* or Dalvik* or *CFNetwork* or Windows-AzureAD-Authentication-Provider* or Java*ThinkPad*)) and
azure.signinlogs.properties.resource_display_name:*

Install detection rules in Elastic Security

Detect Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).