LoFP LoFP / if the user is a developer or automation engineer, validate if this behavior was for testing purposes.

Techniques

Sample rules

Microsoft Entra ID SharePoint Access for User Principal via Auth Broker

Description

This rule detects non-interactive authentication activity against SharePoint Online (Office 365 SharePoint Online) by a user principal via the Microsoft Authentication Broker application. The session leverages a refresh token or Primary Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios.

Detection logic

event.dataset: "azure.signinlogs"
    and azure.signinlogs.properties.app_id: "29d9ed98-a469-4536-ade2-f981bc1d605e"
    and azure.signinlogs.properties.resource_id: "00000003-0000-0ff1-ce00-000000000000"
    and azure.signinlogs.identity: *
    and azure.signinlogs.properties.user_principal_name: *
    and azure.signinlogs.properties.incoming_token_type: ("refreshToken" or "primaryRefreshToken")
    and azure.signinlogs.properties.is_interactive: false