LoFP / users enrolling or joining devices while on corporate vpns, consumer vpns, or cloud egress that map to the listed asns may match. legitimate mobile device management or bulk provisioning that uses the broker against device registration service from the same networks can also trigger alerts. baseline `source.as.organization.name` and successful broker-to-drs sign-ins before tuning exclusions for approved asns or user groups.

Techniques

• T1098
• T1550
• T1566

Sample rules

Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN

• source: elastic
• technicques:
  • T1098
  • T1550
  • T1566

Description

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a source autonomous system number (ASN) associated with VPN, residential proxy, or hosting egress commonly observed in OAuth phishing and adversary-in-the-middle device registration flows. This pattern can indicate device join or primary refresh token acquisition staged from attacker-controlled infrastructure after a user completes authentication.

Detection logic

data_stream.dataset:"azure.signinlogs" and event.action:"Sign-in activity" and
source.as.number:(
    399629 or 14061 or 136787 or 9009 or 45102 or 215540 or 29802 or 62240 or 204957 or 395092 or 393406 or 400940 or
    59711 or 132203
) and
azure.signinlogs.properties.app_display_name:"Microsoft Authentication Broker" and
azure.signinlogs.properties.resource_display_name:"Device Registration Service"