Skip to content

[New Rule] External Authentication Method Addition or Modification in Entra ID #4906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
[metadata]
creation_date = "2025/07/14"
integration = ["azure"]
maturity = "production"
updated_date = "2025/07/14"

[rule]
author = ["Elastic"]
description = """
Identifies when an external authentication method (EAM) is added or modified in Entra ID. EAM may allow adversaries to
bypass multi-factor authentication (MFA) requirements, potentially leading to unauthorized access to user accounts and
sensitive resources by using bring-your-own IdP (BYOIDP) methods.
"""
from = "now-9m"
index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "External Authentication Method Addition or Modification in Entra ID"
note = """## Triage and analysis

### Investigating External Authentication Method Addition or Modification in Entra ID

This rule detects suspicious modifications to external authentication methods (EAMs) in Microsoft Entra ID via Microsoft Graph API. Adversaries may abuse this capability to bypass multi-factor authentication (MFA), enabling persistence or unauthorized access through bring-your-own identity provider (BYOIDP) methods.

### Possible investigation steps
- Validate that `event.action` is `"Microsoft Graph Activity"` and that `http.request.method` is `"PATCH"`, indicating a configuration change was made.
- Confirm that `url.path` contains the string `authenticationMethodsPolicy`, which is associated with external authentication settings in Entra ID.
- Review `user.id` to identify the Azure AD object ID of the user or service principal that initiated the change.
- Examine `azure.graphactivitylogs.properties.app_id` to determine the application ID that performed the action.
- Analyze `azure.graphactivitylogs.properties.scopes[]` to assess whether the request used privileged scopes such as `AuthenticationMethod.ReadWrite.All`.
- Review the geographic origin of the request using `source.geo.*` and the `source.ip` field to identify anomalous locations.
- Examine `user_agent.original` to determine whether the request was made through a browser or automation (e.g., scripted activity).
- Correlate `azure.graphactivitylogs.properties.token_issued_at` and `azure.graphactivitylogs.properties.time_generated` to assess whether the change occurred shortly after token issuance.
- Investigate additional activity by the same `user.id` or `app_id` within a short timeframe (e.g., 30 minutes) to detect related suspicious behavior.
- Use the `operation_id` or `correlation_id` to pivot across related Graph API or Entra ID activity logs, if available.

### False positive analysis
- Legitimate administrative activity may trigger this rule, such as configuring FIDO2 or enabling passwordless sign-in methods during onboarding or security upgrades.
- Some enterprise integrations or federated identity providers may programmatically update EAM settings as part of legitimate operations.
- Routine security assessments or red team exercises may include changes to authentication policies. Validate with internal teams when in doubt.
- If appropriate, filter or suppress alerts originating from known trusted service principals or administrative accounts.

### Response and remediation
- Confirm whether the user or application that made the change was authorized to do so. If not, immediately revoke access and reset credentials as needed.
- Review the application or automation that triggered the change to ensure it is legitimate. If unauthorized, disable or remove it and rotate secrets or tokens it may have accessed.
- Audit current external authentication configurations and conditional access policies to ensure no persistent backdoors were introduced.
- Revoke session tokens associated with the change using Entra ID's portal or Microsoft Graph API, and enforce reauthentication where appropriate.
- Implement stricter RBAC or conditional access policies to prevent unauthorized EAM changes in the future.
- Monitor for repeat or similar activity from the same source or identity as part of an ongoing compromise assessment.
"""
references = ["https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/"]
risk_score = 47
rule_id = "42c97e6e-60c3-11f0-832a-f661ea17fbcd"
severity = "medium"
tags = [
"Domain: Cloud",
"Domain: Identity",
"Data Source: Azure",
"Data Source: Microsoft Graph",
"Data Source: Microsoft Graph Activity Logs",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset: azure.graphactivitylogs and
url.path: *authenticationMethodsPolicy* and
http.request.method: "PATCH" and
http.response.status_code: 200
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[[rule.threat.technique.subtechnique]]
id = "T1556.009"
name = "Conditional Access Policies"
reference = "https://attack.mitre.org/techniques/T1556/009/"



[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[rule.new_terms]
field = "new_terms_fields"
value = ["azure.graphactivitylogs.properties.user_principal_object_id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"


Loading