LoFP / custom device management agents, oem enrollment clients, or updated microsoft clients that use new user-agent strings may match. add exclusions for known `azure.auditlogs.properties.useragent` values or enrollment programs after review.

Techniques

• T1098

Sample rules

Entra ID Register Device with Unusual User Agent (Azure AD Join)

• source: elastic
• technicques:
  • T1098

Description

Detects successful Microsoft Entra ID audit events for Register device where additional details indicate an Azure AD join and the recorded user agent is not one of the common native registration clients (Dsreg, DeviceRegistrationClient, or Dalvik-based Android enrollment). Legitimate Windows and standard mobile enrollment flows often present predictable user-agent strings; unexpected clients may reflect scripted registration, third-party tooling, or adversary-driven device registration used for persistence or token abuse. Baseline approved provisioning tools and MDM integrations before tuning.

Detection logic

data_stream.dataset:"azure.auditlogs" and event.action:"Register device" and
event.outcome:(success or Success) and
azure.auditlogs.properties.userAgent:(* and not (Dsreg* or DeviceRegistrationClient or Dalvik*)) and
azure.auditlogs.properties.additional_details.value:"Azure AD join"