Elastic Security Detection Rules

Suspicious ADRS Token Request by Microsoft Auth Broker

Last updated 11 days ago on 2025-06-13
Created 11 days ago on 2025-06-13

About

Detects suspicious OAuth 2.0 token requests where the Microsoft Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e) requests access to the Device Registration Service (01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9) on behalf of a user principal. The presence of the adrs_access scope in the authentication processing details suggests an attempt to access ADRS, which is atypical for standard user sign-ins. This behavior may reflect an effort to abuse device registration for unauthorized persistence, such as acquiring a Primary Refresh Token (PRT) or establishing a trusted session.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

Account Manipulation (T1098)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure.signinlogs-*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset: "azure.signinlogs" and
    azure.signinlogs.properties.app_id : "29d9ed98-a469-4536-ade2-f981bc1d605e" and
    azure.signinlogs.properties.resource_id : "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" and
    azure.signinlogs.category: "NonInteractiveUserSignInLogs" and
    azure.signinlogs.properties.authentication_processing_details: *adrs_access* and
    azure.signinlogs.properties.incoming_token_type: "refreshToken" and
    azure.signinlogs.properties.user_type: "Member"

Install detection rules in Elastic Security

Detect Suspicious ADRS Token Request by Microsoft Auth Broker in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).