[New Rule] Entra ID Multiple Device Registrations by a Single User#6350
Open
terrancedejesus wants to merge 7 commits into
Open
[New Rule] Entra ID Multiple Device Registrations by a Single User#6350terrancedejesus wants to merge 7 commits into
terrancedejesus wants to merge 7 commits into
Conversation
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
bryans3c
reviewed
Jul 2, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Azure/Entra ID detection rule to identify potential adversary-driven device persistence by flagging bursts of device registrations attributed to a single user over a short time window.
Changes:
- Introduces a new ES|QL rule for Microsoft Entra ID Audit Logs to detect multiple device registrations by the same user within a 15-minute window.
- Includes an investigation guide with triage pivots and response actions tailored to AiTM/token replay device-join persistence scenarios.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Summary - What I changed
Detects multiple Microsoft Entra ID device registrations by a single user, where two or more distinct devices are
registered within a 15-minute window. A legitimate user enrolling a device produces a single "Register device" event;
registering multiple distinct devices in quick succession is uncommon and is the fingerprint behavior of
adversary-in-the-middle (AiTM) phishing kits and stolen-token replay tooling (for example Kali365), which mint a new
Azure AD-joined device, and therefore a new Primary Refresh Token (PRT), per relay or replay attempt. Each registered
device is a separate certificate-bound principal whose PRT survives user-level session revocation and password resets,
so multiple registrations on a single low-privilege identity establish device-bound persistence at scale.
How To Test
Query can be used in TRADE serverless stack.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist