Elastic Security Detection Rules

Azure Entra ID Rare App ID for Principal Authentication

Last updated 5 months ago on 2025-03-10
Created 5 months ago on 2025-03-10

About

Identifies rare Azure Entra ID apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity.
Tags
Domain: CloudData Source: AzureData Source: Entra IDData Source: Entra ID Sign-inUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Valid Accounts (T1078)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset: "azure.signinlogs" and event.category: "authentication"
    and azure.signinlogs.properties.is_interactive: false
    and azure.signinlogs.properties.user_type: "Member"
    and not azure.signinlogs.properties.client_app_used: "Browser"
    and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK"

Install detection rules in Elastic Security

Detect Azure Entra ID Rare App ID for Principal Authentication in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).