Skip to content

[Rule Tuning] Entra ID OAuth Device Code Grant by Unusual User #5790

Closed
#5791
Closed
[Rule Tuning] Entra ID OAuth Device Code Grant by Unusual User#5790
#5791
Assignees
terrancedejesus
Labels
Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing rule
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Feb 26, 2026

Summary

Tuning the existing Entra ID OAuth Device Code Grant by Unusual User rule (af22d970-7106-45b4-b5e3-460d15333727) to reduce false positives by excluding first-party Microsoft applications that legitimately use device code authentication and are not commonly abused in phishing campaigns.

Changes

Query Filter: User Type

  • Added azure.signinlogs.properties.user_type:* filter to scope the rule to Entra ID user types only, excluding events without a user type (e.g., service principal sign-ins).

Query Filter: Excluded First-Party App IDs
Added exclusions for first-party Microsoft applications that generate significant false positives due to legitimate device code usage:

App Name App ID Reason for Exclusion
Microsoft Authentication Broker 29d9ed98-a469-4536-ade2-f981bc1d605e PRT broker, device code is expected
Azure Artifacts d5a56ea4-7369-46b8-a538-c370805301bf Package management from CI/CD pipelines
Azure Kubernetes Service AAD Client 80faf920-1908-4b52-b5ef-a8e7bedfc67a kubectl/AKS tooling authentication
Azure DevOps 97877f11-0fc6-4aee-b1ff-febb0519dd00 CI/CD pipeline authentication
Windows Terminal 245e1dee-74ef-4257-a8c8-8208296e1dfd Terminal-based authentication
Microsoft Intune Company Portal 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 Device enrollment
Microsoft Intune Web Company Portal 74bcdadc-2fdc-4bb3-8459-76d06952a0e9 Device enrollment
Microsoft Authenticator App 4813382a-8fa7-425e-ab75-3b753aab3abb Authentication app
Polycom - Skype for Business Certified Phone a850aaae-d5a5-4e82-877c-ce54ff916282 Input-constrained phone device

Applications Intentionally Kept (Commonly Abused)
The following first-party apps remain in scope as they are frequently abused in device code phishing campaigns:

  • Microsoft Azure CLI (04b07795-8ddb-461a-bbee-02f9e1bf7b46) - Common phishing target
  • Microsoft Azure PowerShell (1950a258-227b-4e31-a9cf-717495945fc2) - Common phishing target
  • Microsoft Teams (1fec8e78-bce4-4aaf-ab1b-5451cc387264) - Storm-2372 phishing vector
  • Microsoft Graph Command Line Tools (14d82eec-204b-4c2f-b7e8-296a70dab67e) - Post-compromise recon
  • Microsoft Exchange REST API Based Powershell (fb78d390-0c51-40cd-8e17-fdbfab77341b) - Email access abuse
  • Azure Storage AzCopy (579a7132-0e58-4d80-b1e1-7a1e2d337859) - Abused by STORM-0501

Other Changes

  • Updated description to clarify the rule applies to Entra ID user types
  • Updated setup note to reference Entra ID Sign-In logs (not Azure)
  • Added "Data Source: Microsoft Entra ID Sign-In Logs" and "Domain: Identity" tags
  • Added original_transfer_method:deviceCodeFlow as an additional detection condition
  • Updated history window from now-14d to now-7d
  • Added Storm-2372 Microsoft security blog reference

Testing

Image

References

Metadata

Metadata

Assignees

Labels

Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing rule

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions