Entra ID Register Device with Unusual User Agent (Azure AD Join)

Status: production
Severity: medium
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Detects successful Microsoft Entra ID audit events for Register device where additional details indicate an Azure AD join and the recorded user agent is not one of the common native registration clients (Dsreg, DeviceRegistrationClient, or Dalvik-based Android enrollment). Legitimate Windows and standard mobile enrollment flows often present predictable user-agent strings; unexpected clients may reflect scripted registration, third-party tooling, or adversary-driven device registration used for persistence or token abuse. Baseline approved provisioning tools and MDM integrations before tuning.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098.005` Account Manipulation: Device Registration

Event coverage

Provider	Event
Entra-AuditLogs	Register device

Rule body elastic

[metadata]
creation_date = "2026/05/15"
integration = ["azure"]
maturity = "production"
updated_date = "2026/05/15"

[rule]
author = ["Elastic"]
description = """
Detects successful Microsoft Entra ID audit events for Register device where additional details indicate an Azure AD join
and the recorded user agent is not one of the common native registration clients (Dsreg, DeviceRegistrationClient, or
Dalvik-based Android enrollment). Legitimate Windows and standard mobile enrollment flows often present predictable
user-agent strings; unexpected clients may reflect scripted registration, third-party tooling, or adversary-driven device
registration used for persistence or token abuse. Baseline approved provisioning tools and MDM integrations before tuning.
"""
false_positives = [
    """
    Custom device management agents, OEM enrollment clients, or updated Microsoft clients that use new user-agent strings
    may match. Add exclusions for known `azure.auditlogs.properties.userAgent` values or enrollment programs after review.
    """,
]
from = "now-9m"
index = ["logs-azure.auditlogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Entra ID Register Device with Unusual User Agent (Azure AD Join)"
note = """## Triage and analysis

### Investigating Entra ID Register Device with Unusual User Agent (Azure AD Join)

Review `azure.auditlogs.properties.initiated_by.user.userPrincipalName`, source IP fields on the audit event,
`azure.auditlogs.properties.target_resources.0.display_name` for the device name, and
`azure.correlation_id` for related audit entries.

Compare `azure.auditlogs.properties.userAgent` to your organization's standard Autopilot, Intune, and Windows enrollment
clients.

### Possible investigation steps

- Confirm whether the user intentionally joined a device and whether the user agent matches a known provisioning package.
- Pivot to `azure.signinlogs` for the same principal and timeframe for risky sign-ins or token broker activity.
- Search for other `Register device` events from the same IP or user agent across the tenant.

### Response and remediation

- If malicious, remove the device in Entra ID, revoke refresh and primary refresh tokens for the user, and reset credentials per policy.
- Tighten device registration and join controls via Conditional Access and device compliance policies.
"""
references = [
    "https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join",
    "https://github.com/dirkjanm/ROADtools",
]
risk_score = 47
rule_id = "d4695889-0410-4e7b-a4aa-59be525a11a6"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Domain: Identity",
    "Data Source: Azure",
    "Data Source: Microsoft Entra ID",
    "Data Source: Microsoft Entra ID Audit Logs",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"azure.auditlogs" and event.action:"Register device" and
event.outcome:(success or Success) and
azure.auditlogs.properties.userAgent:(* and not (Dsreg* or DeviceRegistrationClient or Dalvik*)) and
azure.auditlogs.properties.additional_details.value:"Azure AD join"
'''

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "event.action",
    "event.outcome",
    "azure.auditlogs.properties.userAgent",
    "azure.auditlogs.properties.additional_details.value",
    "azure.auditlogs.properties.initiated_by.user.userPrincipalName",
    "azure.auditlogs.properties.initiated_by.user.ipAddress",
    "azure.auditlogs.properties.target_resources.0.display_name",
    "azure.auditlogs.properties.target_resources.0.id",
    "azure.correlation_id",
]

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.005"
name = "Device Registration"
reference = "https://attack.mitre.org/techniques/T1098/005/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

Stages and Predicates

Stage 1: `query`

data_stream.dataset:"azure.auditlogs" and event.action:"Register device" and
event.outcome:(success or Success) and
azure.auditlogs.properties.userAgent:(* and not (Dsreg* or DeviceRegistrationClient or Dalvik*)) and
azure.auditlogs.properties.additional_details.value:"Azure AD join"

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`azure.auditlogs.properties.userAgent`	eq	`DeviceRegistrationClient`
`azure.auditlogs.properties.userAgent`	starts_with	`Dalvik`
`azure.auditlogs.properties.userAgent`	starts_with	`Dsreg`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`azure.auditlogs.properties.additional_details.value`	eq	`Azure AD join`
`azure.auditlogs.properties.userAgent`	is_not_null	(no value, null check)
`data_stream.dataset`	eq	`azure.auditlogs`
`event.action`	eq	`Register device`
`event.outcome`	in	`Success` `success`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Entra ID Register Device with Unusual User Agent (Azure AD Join)

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: `query`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Entra ID Register Device with Unusual User Agent (Azure AD Join)

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: query

Exclusions

Indicators

Stage 1: `query`