Entra ID User Sign-in with Unusual Non-Managed Device
Detects Microsoft Entra ID user sign-ins from devices not typically used or managed, indicating potential account compromise or unauthorized access via device registration for persistence.
This detection identifies instances where a Microsoft Entra ID user logs in from a device that is both unusual for that user and not managed by the organization. The rule leverages Microsoft Entra ID Sign-In logs to compare the device used in the sign-in attempt against the user's typical device usage patterns. A successful attack may involve an adversary registering a new device to obtain a Primary Refresh Token (PRT), which enables them to maintain persistent access to the environment. This activity can begin from initial access through compromised credentials or other methods. This rule is designed to detect unusual access patterns that might signify malicious activity, specifically within Microsoft Entra ID environments. The rule leverages Azure sign-in logs to identify potentially compromised or malicious accounts and devices.
Attack Chain
- The attacker gains initial access through compromised credentials or other methods (e.g., phishing, credential stuffing).
- The attacker registers a new, non-managed device within the Entra ID environment.
- The compromised user account is used to sign in from the newly registered, unusual device.
- The sign-in attempt generates a Microsoft Entra ID Sign-In log event.
- The log event is evaluated against the user's historical device usage patterns.
- Because the device is new and unusual for the user, the detection rule triggers.
- The attacker obtains a Primary Refresh Token (PRT) from the registered device.
- The attacker uses the PRT for persistent access to Entra ID resources, potentially leading to data exfiltration or further malicious activities.
Impact
Compromised Entra ID accounts can lead to unauthorized access to sensitive cloud resources and data. Successful exploitation enables attackers to maintain persistence and potentially escalate their privileges within the cloud environment. Lateral movement and data exfiltration may occur if the attacker gains access to high-value accounts or resources. While this specific detection has a low severity, it serves as an early warning sign of more significant compromise. The number of affected users will vary depending on the scope of the initial compromise and the attacker's subsequent actions.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune it to reduce false positives based on your environment's baseline (e.g., frequent device changes) and user behavior.
- Review the Microsoft Entra ID Sign-In logs for the affected user(s) to identify any other unusual activity (
azure.signinlogs.properties.user_principal_nameandazure.signinlogs.properties.device_detail.device_id). - Investigate the device identified in the alert to determine if it is managed and authorized (
azure.signinlogs.properties.device_detail.is_managed). - Review the conditional access policies in place to ensure they are sufficient to prevent unauthorized access, especially from non-managed devices.
- Monitor the Azure Event Hub for any anomalies related to device registration or authentication events.
- Consider adding exceptions for verified devices that are known to be used by the user to reduce false positives.
Detection coverage 2
Entra ID Unusual Device Sign-in
mediumDetects Entra ID user sign-ins from devices not typically used by the user, indicating potential account compromise or unauthorized access.
Entra ID Sign-in with Unbound Session Status
lowDetects Entra ID sign-ins with an unbound session status, which can indicate token theft or manipulation.
Detection queries are available on the platform. Get full rules →