Techniques
Sample rules
Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
- source: elastic
- technicques:
- T1213
Description
This rule detects non-interactive authentication activity against SharePoint Online (Office 365 SharePoint Online
) by
a user principal via the Microsoft Authentication Broker
application. The session leverages a refresh token or Primary
Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios.
Detection logic
event.dataset: "azure.signinlogs"
and azure.signinlogs.properties.app_id: "29d9ed98-a469-4536-ade2-f981bc1d605e"
and azure.signinlogs.properties.resource_id: "00000003-0000-0ff1-ce00-000000000000"
and azure.signinlogs.identity: *
and azure.signinlogs.properties.user_principal_name: *
and azure.signinlogs.properties.incoming_token_type: ("refreshToken" or "primaryRefreshToken")
and azure.signinlogs.properties.is_interactive: false