Description
Description
Missing coverage for unusual cloud domain device registration in Entra ID related to OAuth phishing and ROADtools usage.
Target Ruleset
azure
Target Rule Type
Event Correlation (EQL)
Tested ECS Version
No response
Query
sequence by azure.correlation_id with maxspan=1m
[any where event.dataset == "azure.auditlogs" and azure.auditlogs.identity == "Device Registration Service" and azure.auditlogs.operation_name == "Add device" and azure.auditlogs.properties.additional_details.value like "Microsoft.OData.Client/*" and (
azure.auditlogs.properties.target_resources.`0`.modified_properties.`1`.display_name == "CloudAccountEnabled" and
azure.auditlogs.properties.target_resources.`0`.modified_properties.`1`.new_value: "[true]") and azure.auditlogs.properties.target_resources.`0`.modified_properties.`3`.new_value like "*10.0.19041.928*"]
[any where event.dataset == "azure.auditlogs" and azure.auditlogs.operation_name == "Add registered users to device" and azure.auditlogs.properties.target_resources.`0`.modified_properties.`2`.new_value like "*urn:ms-drs:enterpriseregistration.windows.net*"]
[any where event.dataset == "azure.auditlogs" and azure.auditlogs.operation_name == "Add registered owner to device"]
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
https://github.com/elastic/ia-trade-team/issues/590
References
Redacted Example Data
No response
Additional Information
- Correlation ID helps establish relationships between use sessions in Entra ID, almost identical to session ID
- Our first event looks for the DRS service adding a device, specifically - a cloud domain deviced via the OData client
- Additionally
10.0.19041.928is hardcoded in ROADtools and used when adding a device, thus is a good fingerprint for use of this tool - These three events happen in a very short time-frame via the use of ROADtools.