Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Summary

Rule needs adjusted as it is generating false-positives based on mobile endpoints switching between local and cell networks. Query also needs adjusted to aggregate on the FOCI being used, along with Session ID and User ID. The client ID should be the same from initial OAuth phishing to graph access based on claims with the token.

We removed the bucketed time-window as it was working incorrectly to identify sign-in to graph events that correlated correctly. Instead we can rely on the diff between sign-in events and Graph requests. We've also added the Graph app ID and user principal type as additional filters in the sign-in events to help narrow the correlation and be more accurate about the expected OAuth phishing for Graph access with .default permission scopes.

Dynamic field names have been updated to match best practices and guidelines.

Example Data

Example data loaded into TRADE stack.