Detection rules › Elastic
Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates is using a user agent that is not consistent with common browser, mobile, or Windows platform authentication clients. Adversary-in-the-middle and OAuth phishing tooling often presents scripted or relayed user agents (for example Node.js, Python, or generic HTTP libraries) while still targeting first-party resources through the broker.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078.004 Valid Accounts: Cloud Accounts, T1566.002 Phishing: Spearphishing Link |
| Stealth | T1078.004 Valid Accounts: Cloud Accounts |
| Credential Access | T1539 Steal Web Session Cookie |
Rule body elastic
[metadata]
creation_date = "2026/05/27"
integration = ["azure"]
maturity = "production"
updated_date = "2026/05/27"
[rule]
author = ["Elastic"]
description = """
Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates is using a user agent
that is not consistent with common browser, mobile, or Windows platform authentication clients. Adversary-in-the-middle and OAuth phishing
tooling often presents scripted or relayed user agents (for example Node.js, Python, or generic HTTP libraries) while
still targeting first-party resources through the broker.
"""
false_positives = [
"""
Legitimate automation, SDKs, or custom applications that obtain tokens through the Microsoft Authentication Broker
against Graph, Azure AD, or Device Registration Service may use non-browser user agents. Baseline approved
service principals, managed identities, and developer tooling before tuning exclusions for known automation
patterns.
""",
]
from = "now-9m"
index = ["logs-azure.signinlogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent"
note = """## Triage and analysis
### Investigating Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
Review `azure.signinlogs.properties.user_principal_name`, `user_agent.original`,
`azure.signinlogs.properties.resource_display_name`, `azure.signinlogs.properties.session_id`, `source.ip`, and
`source.as.organization.name`.
Confirm whether the user or application intentionally used a non-browser client against the requested resource.
### Possible investigation steps
- Inspect `user_agent.original` for automation libraries (for example `node`, `axios`, `python-requests`, `curl`).
- Correlate `azure.signinlogs.properties.session_id` with other sign-ins, device registration audit events, or Graph
activity in the same time window.
- Review conditional access outcomes and identity protection signals for the user.
- Compare `source.ip` and ASN against expected VPN, MDM, and developer egress.
### False positive analysis
- Microsoft platform and mobile clients using Mozilla-, Dalvik-, CFNetwork-, or Windows-AzureAD-Authentication-Provider-
style user agents are excluded by design.
- First-party CLI tools and test harnesses that legitimately broker tokens may still match if they use uncommon user
agent strings.
### Response and remediation
- If malicious, revoke refresh tokens for the user, review newly registered devices, and reset credentials per policy.
- Escalate when paired with suspicious ASN sign-ins, multi-IP OAuth flows, or follow-on Graph data access.
"""
references = [
"https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
"https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",
"https://any.run/malware-trends/tycoon/",
]
risk_score = 73
rule_id = "c22f89d9-b674-4650-8454-02242c8b35eb"
severity = "high"
setup = """
Microsoft Entra ID sign-in logs (`logs-azure.signinlogs-*`) must populate `user_agent.original`,
`azure.signinlogs.properties.app_display_name`, and `azure.signinlogs.properties.resource_display_name`.
"""
tags = [
"Domain: Cloud",
"Domain: Identity",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Sign-In Logs",
"Use Case: Threat Detection",
"Tactic: Initial Access",
"Tactic: Credential Access",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"azure.signinlogs" and event.action:"Sign-in activity" and event.outcome:(success or Success) and
(azure.signinlogs.properties.app_display_name:"Microsoft Authentication Broker" or azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e") and
user_agent.original:(* and not (Mozilla* or Dalvik* or *CFNetwork* or Windows-AzureAD-Authentication-Provider* or Java*ThinkPad*)) and
azure.signinlogs.properties.resource_display_name:*
'''
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"source.as.number",
"source.as.organization.name",
"source.geo.country_name",
"event.outcome",
"azure.signinlogs.properties.user_principal_name",
"azure.signinlogs.properties.session_id",
"azure.signinlogs.properties.app_display_name",
"azure.signinlogs.properties.app_id",
"azure.signinlogs.properties.resource_display_name",
"azure.signinlogs.properties.resource_id",
"azure.signinlogs.properties.authentication_protocol",
"azure.tenant_id",
]
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[[rule.threat.technique.subtechnique]]
id = "T1566.002"
name = "Spearphishing Link"
reference = "https://attack.mitre.org/techniques/T1566/002/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1539"
name = "Steal Web Session Cookie"
reference = "https://attack.mitre.org/techniques/T1539/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Stages and Predicates
Stage 1: query
data_stream.dataset:"azure.signinlogs" and event.action:"Sign-in activity" and event.outcome:(success or Success) and
(azure.signinlogs.properties.app_display_name:"Microsoft Authentication Broker" or azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e") and
user_agent.original:(* and not (Mozilla* or Dalvik* or *CFNetwork* or Windows-AzureAD-Authentication-Provider* or Java*ThinkPad*)) and
azure.signinlogs.properties.resource_display_name:*
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
user_agent.original | match | CFNetwork |
user_agent.original | starts_with | Dalvik |
user_agent.original | starts_with | Mozilla |
user_agent.original | starts_with | Windows-AzureAD-Authentication-Provider |
user_agent.original | wildcard | Java*ThinkPad* |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
azure.signinlogs.properties.app_display_name | eq |
|
azure.signinlogs.properties.app_id | eq |
|
azure.signinlogs.properties.resource_display_name | is_not_null | |
data_stream.dataset | eq |
|
event.action | eq |
|
event.outcome | in |
|
user_agent.original | is_not_null |