[New Rule] Entra ID / M365 - Unusual ROPC Auth and/or Legacy Clients#6377
[New Rule] Entra ID / M365 - Unusual ROPC Auth and/or Legacy Clients#6377terrancedejesus wants to merge 1 commit into
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
There was a problem hiding this comment.
Pull request overview
Adds new detections and a tuning update to improve coverage for Entra ID / M365 legacy-auth and ROPC-style sign-ins (including the BAV2ROPC user agent), with the goal of catching password-spray / account takeover activity across both Entra Sign-In Logs and M365 Unified Audit Logs.
Changes:
- Adds a new M365 UAL New Terms rule for successful
UserLoggedInevents withuser_agent.original: "BAV2ROPC"(legacy client translated into ROPC). - Adds a new Entra ID New Terms rule for first-time-seen legacy
client_app_usedvalues (Authenticated SMTP/IMAP/POP/EAS/etc.). - Tunes the existing Entra ID ROPC New Terms rule to also match
BAV2ROPCand refreshes references/updated_date.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| rules/integrations/o365/initial_access_identity_ropc_grant_via_legacy_authenticated_client.toml | New M365 UAL New Terms rule to detect first-seen successful BAV2ROPC sign-ins. |
| rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml | Tunes existing Entra ROPC rule to include BAV2ROPC and updates metadata/references. |
| rules/integrations/azure/initial_access_entra_id_unusual_legacy_auth_client_signin.toml | New Entra New Terms rule to detect first-seen successful legacy client sign-ins via client_app_used. |
|
|
||
| The Resource Owner Password Credentials (ROPC) flow allows a client to obtain tokens by submitting a user's credentials directly, without interactive sign-in. Legacy authentication clients (Authenticated SMTP, IMAP, POP, Exchange ActiveSync) that use basic authentication are translated by Entra ID into ROPC grants, which are single-factor and bypass interactive MFA. Microsoft 365 records these logins in the Unified Audit Log as `UserLoggedIn` events with the `BAV2ROPC` user agent. Adversaries abuse this flow for password spraying and account takeover against accounts that lack MFA enforcement or fall outside legacy-authentication blocking. | ||
|
|
||
| This rule identifies a successful ROPC/legacy-client login for a user principal not seen performing this activity in the last 10 days. Because the Unified Audit Log is a separate pipeline from the Entra ID sign-in diagnostic stream, this rule provides coverage even when non-interactive sign-in logs are not forwarded to the SIEM. |
| client authentication for a given user, which is unusual in most modern environments. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-azure.signinlogs-*"] |
There was a problem hiding this comment.
| index = ["filebeat-*", "logs-azure.signinlogs-*"] | |
| index = ["logs-azure.signinlogs-*"] |
nit: Should we exclude filebeat?
| unusual activity. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-azure.signinlogs-*"] |
There was a problem hiding this comment.
| index = ["logs-azure.signinlogs-*"] |
nit: Should we exclude filebeat?
| value = ["azure.signinlogs.properties.user_principal_name"] | ||
| [[rule.new_terms.history_window_start]] | ||
| field = "history_window_start" | ||
| value = "now-10d" |
There was a problem hiding this comment.
| value = "now-7d" |
nit: Should we switch to 7d for performance?
| This is commonly abused during password spraying and account takeover. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-o365.audit-*"] |
There was a problem hiding this comment.
| index = ["filebeat-*", "logs-o365.audit-*"] | |
| index = ["logs-o365.audit-*"] |
Pull Request
Issue link(s):
Adds a couple detections around ROPC auth and legacy authentication clients for Entra ID and M365. Originally we only had ROPC in Entra ID, that has been added for M365 UAL logs. Also tuned a rule to be either ROPC auth or
BAV2ROPCwhich is the default user-agent by MSFT for ROPC from legacy apps to use OAuth.M365 OAuth ROPC Grant via Legacy Authenticated Client
Detects a successful M365 Unified Audit Log UserLoggedIn where user_agent.original is BAV2ROPC, indicating a legacy basic-auth client (SMTP/IMAP/POP/EAS) translated by Entra into a single-factor ROPC grant that bypasses interactive MFA. Serves as a backstop to the Entra Sign-In ROPC rule since UAL is a separate ingestion pipeline that still captures this login when non-interactive sign-in logs aren't forwarded.
New: Entra ID User Sign-In via Unusual Legacy Authentication Client
New Terms rule that fires when a Member user is first seen (in 7 days) successfully authenticating via any Microsoft-defined legacy client_app_used protocol, which is unusual in modern-auth environments and common in password spraying / account takeover. Uses an explicit legacy inclusion-list (not a "not-modern" exclusion) specifically to avoid the high-volume Unknown service-principal bucket, and keys on client_app_used rather than app_id because legacy basic-auth records the app as the benign Office 365 Exchange Online.
Summary - What I changed
How To Test
Queries can be used in TRADE stack and others.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist