Description
Description
Missing coverage for suspicious ADRS token request from Microsoft's Authentication Broker by a user principle with a refresh token. Identifies Microsoft Entra ID sign-in events where a user principal authenticates using a refresh token issued to the Microsoft Authentication Broker (MAB) client, targeting the Device Registration Service (DRS) with the adrs_access OAuth scope. This pattern may indicate token-based access to DRS following an initial authorization code phishing or device registration flow.
Target Ruleset
azure
Target Rule Type
Custom (KQL or Lucene)
Tested ECS Version
No response
Query
event.dataset: "azure.signinlogs" and azure.signinlogs.properties.app_id : "29d9ed98-a469-4536-ade2-f981bc1d605e" and azure.signinlogs.properties.resource_id : "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9" and azure.signinlogs.properties.authentication_processing_details.`Oauth Scope Info`: *adrs_access* and azure.signinlogs.properties.incoming_token_type: "refreshToken" and azure.signinlogs.properties.user_type: "Member"
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
https://github.com/elastic/ia-trade-team/issues/590
References
Redacted Example Data
No response