[New Rule] Entra ID / M365 - Unusual ROPC Auth and/or Legacy Clients#6377
Merged
Merged
Conversation
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new detections and a tuning update to improve coverage for Entra ID / M365 legacy-auth and ROPC-style sign-ins (including the BAV2ROPC user agent), with the goal of catching password-spray / account takeover activity across both Entra Sign-In Logs and M365 Unified Audit Logs.
Changes:
- Adds a new M365 UAL New Terms rule for successful
UserLoggedInevents withuser_agent.original: "BAV2ROPC"(legacy client translated into ROPC). - Adds a new Entra ID New Terms rule for first-time-seen legacy
client_app_usedvalues (Authenticated SMTP/IMAP/POP/EAS/etc.). - Tunes the existing Entra ID ROPC New Terms rule to also match
BAV2ROPCand refreshes references/updated_date.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| rules/integrations/o365/initial_access_identity_ropc_grant_via_legacy_authenticated_client.toml | New M365 UAL New Terms rule to detect first-seen successful BAV2ROPC sign-ins. |
| rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml | Tunes existing Entra ROPC rule to include BAV2ROPC and updates metadata/references. |
| rules/integrations/azure/initial_access_entra_id_unusual_legacy_auth_client_signin.toml | New Entra New Terms rule to detect first-seen successful legacy client sign-ins via client_app_used. |
django-88
approved these changes
Jul 7, 2026
bryans3c
approved these changes
Jul 7, 2026
…y_auth_client_signin.toml Co-authored-by: Bryan Porras <bryan.porras@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Adds a couple detections around ROPC auth and legacy authentication clients for Entra ID and M365. Originally we only had ROPC in Entra ID, that has been added for M365 UAL logs. Also tuned a rule to be either ROPC auth or
BAV2ROPCwhich is the default user-agent by MSFT for ROPC from legacy apps to use OAuth.M365 OAuth ROPC Grant via Legacy Authenticated Client
Detects a successful M365 Unified Audit Log UserLoggedIn where user_agent.original is BAV2ROPC, indicating a legacy basic-auth client (SMTP/IMAP/POP/EAS) translated by Entra into a single-factor ROPC grant that bypasses interactive MFA. Serves as a backstop to the Entra Sign-In ROPC rule since UAL is a separate ingestion pipeline that still captures this login when non-interactive sign-in logs aren't forwarded.
New: Entra ID User Sign-In via Unusual Legacy Authentication Client
New Terms rule that fires when a Member user is first seen (in 7 days) successfully authenticating via any Microsoft-defined legacy client_app_used protocol, which is unusual in modern-auth environments and common in password spraying / account takeover. Uses an explicit legacy inclusion-list (not a "not-modern" exclusion) specifically to avoid the high-volume Unknown service-principal bucket, and keys on client_app_used rather than app_id because legacy basic-auth records the app as the benign Office 365 Exchange Online.
Summary - What I changed
How To Test
Queries can be used in TRADE stack and others.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist