Elastic Security Detection Rules

Microsoft 365 OAuth Redirect to Device Registration for User Principal

Last updated 14 days ago on 2025-04-30
Created 14 days ago on 2025-04-30

About

Identifies attempts to register a new device in Microsoft Entra ID after OAuth authentication with authorization code grant. Adversaries may use OAuth phishing techniques to obtain an OAuth authorization code, which can then be exchanged for access and refresh tokens. This rule detects a sequence of events where a user principal authenticates via OAuth, followed by a device registration event, indicating potential misuse of the OAuth flow to establish persistence or access resources.
Tags
Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditTactic: Credential AccessLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Steal Application Access Token (T1528)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Account Manipulation (T1098)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-o365.audit-*
Related Integrations

o365(opens in a new tab or window)

Query
sequence by related.user with maxspan=30m
[authentication where event.action == "UserLoggedIn" and
 o365.audit.ExtendedProperties.RequestType == "OAuth2:Authorize" and o365.audit.ExtendedProperties.ResultStatusDetail == "Redirect" and
 o365.audit.UserType: ("0", "2", "3", "10")] // victim source.ip
[authentication where event.action == "UserLoggedIn" and
 o365.audit.ExtendedProperties.RequestType == "OAuth2:Token" and o365.audit.ExtendedProperties.ResultStatusDetail == "Success"] // attacker source.ip to convert oauth code to token
[web where event.dataset == "o365.audit" and event.action == "Add registered users to device."] // user.name is captured in related.user

Install detection rules in Elastic Security

Detect Microsoft 365 OAuth Redirect to Device Registration for User Principal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).