Device Registration

// T1098.005 - Device Registration Detection
// Detects suspicious device registrations in Entra ID / Azure AD
let SuspiciousDeviceRegistration = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in (
    "Add device",
    "Register device",
    "Add registered owner to device",
    "Add registered users to device",
    "Update device",
    "Enroll device"
  )
| where Result =~ "success"
| extend
    InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName),
    InitiatedByIP = tostring(InitiatedBy.user.ipAddress),
    InitiatedByAppId = tostring(InitiatedBy.app.appId),
    InitiatedByAppName = tostring(InitiatedBy.app.displayName),
    DeviceDisplayName = tostring(TargetResources[0].displayName),
    DeviceId = tostring(TargetResources[0].id),
    ModifiedProps = TargetResources[0].modifiedProperties
| extend DeviceOS = tostring(parse_json(tostring(ModifiedProps))[0].newValue)
| project
    TimeGenerated,
    OperationName,
    InitiatedByUPN,
    InitiatedByIP,
    InitiatedByAppId,
    InitiatedByAppName,
    DeviceDisplayName,
    DeviceId,
    Result,
    Category,
    CorrelationId;
let RecentSignins = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| project
    SigninTime = TimeGenerated,
    SigninUPN = UserPrincipalName,
    SigninIP = IPAddress,
    SigninAppDisplayName = AppDisplayName,
    SigninCountry = LocationDetails.countryOrRegion,
    SigninRiskLevel = RiskLevelDuringSignIn,
    SigninRiskState = RiskState,
    IsInteractive;
SuspiciousDeviceRegistration
| join kind=leftouter (
    RecentSignins
    | where SigninRiskLevel in ("high", "medium") or SigninRiskState in ("atRisk", "confirmedCompromised")
  ) on $left.InitiatedByUPN == $right.SigninUPN
| union (
    // Also catch bulk/rapid device registrations from same user or IP
    SuspiciousDeviceRegistration
    | summarize
        DeviceCount = count(),
        DeviceNames = make_set(DeviceDisplayName),
        OperationNames = make_set(OperationName),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated)
      by InitiatedByUPN, InitiatedByIP, bin(TimeGenerated, 1h)
    | where DeviceCount >= 3
    | extend AlertReason = strcat("Bulk device registration: ", tostring(DeviceCount), " devices in 1 hour")
  )
| extend SuspiciousIndicators = dynamic([])
| extend SuspiciousIndicators = iff(isnotempty(SigninRiskLevel) and SigninRiskLevel in ("high","medium"), array_concat(SuspiciousIndicators, dynamic(["risky-signin"])), SuspiciousIndicators)
| extend SuspiciousIndicators = iff(isnotempty(InitiatedByAppId) and InitiatedByAppName !in ("Microsoft Intune", "Microsoft Azure Active Directory Connect", "Microsoft Intune Enrollment", "Azure Active Directory"), array_concat(SuspiciousIndicators, dynamic(["unexpected-app"])), SuspiciousIndicators)
| sort by TimeGenerated desc

index=azure_audit sourcetype="azure:audit"
  (operationName="Add device" OR operationName="Register device" OR operationName="Add registered owner to device" OR operationName="Add registered users to device" OR operationName="Update device" OR operationName="Enroll device")
  result="success"
| eval initiatedByUPN=coalesce('initiatedBy.user.userPrincipalName', "unknown")
| eval initiatedByIP=coalesce('initiatedBy.user.ipAddress', "unknown")
| eval initiatedByApp=coalesce('initiatedBy.app.displayName', "unknown")
| eval deviceName=coalesce('targetResources{}.displayName', "unknown")
| eval deviceId=coalesce('targetResources{}.id', "unknown")
| eval isKnownEnrollmentApp=if(initiatedByApp IN ("Microsoft Intune", "Microsoft Azure Active Directory Connect", "Microsoft Intune Enrollment", "Azure Active Directory", "Microsoft Authentication Broker"), 1, 0)
| eval suspicionScore=0
| eval suspicionScore=suspicionScore + if(isKnownEnrollmentApp=0, 2, 0)
| eval suspicionScore=suspicionScore + if(match(initiatedByIP, "^(tor|vpn|proxy)"), 1, 0)
| stats
    count as registrationCount,
    values(deviceName) as deviceNames,
    values(operationName) as operations,
    values(initiatedByIP) as sourceIPs,
    values(initiatedByApp) as apps,
    sum(suspicionScore) as totalSuspicionScore,
    earliest(_time) as firstRegistration,
    latest(_time) as lastRegistration
  by initiatedByUPN
| eval bulkRegistration=if(registrationCount >= 3, 1, 0)
| eval totalSuspicionScore=totalSuspicionScore + if(bulkRegistration=1, 2, 0)
| where totalSuspicionScore > 0 OR bulkRegistration=1
| eval alertReason=case(
    bulkRegistration=1 AND totalSuspicionScore > 2, "Bulk registration by unexpected app",
    bulkRegistration=1, "Bulk device registration (3+ devices)",
    totalSuspicionScore > 2, "Device registered by unexpected application",
    true(), "Suspicious device registration"
  )
| table firstRegistration, lastRegistration, initiatedByUPN, sourceIPs, apps, deviceNames, registrationCount, totalSuspicionScore, alertReason
| sort - totalSuspicionScore

// T1098.005 — Bulk Device Registration (primary signal)
// Fires when the same user registers 3+ devices within 1 hour
sequence by azure.auditlogs.initiated_by.user.user_principal_name with maxspan=1h
  [any where
    event.dataset == "azure.auditlogs" and
    azure.auditlogs.operation_name in (
      "Add device",
      "Register device",
      "Add registered owner to device",
      "Add registered users to device",
      "Update device",
      "Enroll device"
    ) and
    event.outcome == "success"
  ] with runs=3

// ── Secondary (run as a separate saved query) ──────────────────────────────
// Fires on ANY single device registration initiated by an unexpected app
// any where
//   event.dataset == "azure.auditlogs" and
//   azure.auditlogs.operation_name in (
//     "Add device", "Register device", "Add registered owner to device",
//     "Add registered users to device", "Update device", "Enroll device"
//   ) and
//   event.outcome == "success" and
//   not azure.auditlogs.initiated_by.app.display_name in (
//     "Microsoft Intune",
//     "Microsoft Azure Active Directory Connect",
//     "Microsoft Intune Enrollment",
//     "Azure Active Directory",
//     "Microsoft Authentication Broker"
//   )

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_registration,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_registration,
  username                                           AS initiated_by_upn,
  sourceip                                           AS source_ip,
  COUNT(*)                                           AS registration_count,
  LOGSOURCENAME(logsourceid)                         AS log_source_name,
  QIDNAME(qid)                                       AS event_name
FROM events
WHERE LOGSOURCETYPENAME(devicetype) LIKE '%Azure Active Directory%'
  AND (
       QIDNAME(qid) LIKE '%Add device%'
    OR QIDNAME(qid) LIKE '%Register device%'
    OR QIDNAME(qid) LIKE '%Add registered owner to device%'
    OR QIDNAME(qid) LIKE '%Add registered users to device%'
    OR QIDNAME(qid) LIKE '%Update device%'
    OR QIDNAME(qid) LIKE '%Enroll device%'
  )
  AND "result" = 'success'
  LAST 24 HOURS
GROUP BY
  username,
  sourceip
HAVING
  COUNT(*) >= 1
ORDER BY
  registration_count DESC

_sourceCategory=azure/audit OR _sourceCategory=azure/aad/audit
| json field=_raw "operationName"                            as operation_name nodrop
| json field=_raw "result"                                    as result nodrop
| json field=_raw "initiatedBy.user.userPrincipalName"        as initiated_by_upn nodrop
| json field=_raw "initiatedBy.user.ipAddress"                as source_ip nodrop
| json field=_raw "initiatedBy.app.displayName"               as app_name nodrop
| json field=_raw "targetResources[0].displayName"            as device_name nodrop
| json field=_raw "targetResources[0].id"                     as device_id nodrop
| where operation_name in (
    "Add device",
    "Register device",
    "Add registered owner to device",
    "Add registered users to device",
    "Update device",
    "Enroll device"
  )
| where result = "success"
| eval is_known_app = if (
    app_name in (
      "Microsoft Intune",
      "Microsoft Azure Active Directory Connect",
      "Microsoft Intune Enrollment",
      "Azure Active Directory",
      "Microsoft Authentication Broker"
    ), 1, 0
  )
| eval base_score = if (is_known_app = 0, 2, 0)
| timeslice 1h
| count as registration_count,
  values(device_name) as device_names,
  values(source_ip)   as source_ips,
  last(app_name)      as initiating_app,
  last(base_score)    as base_score
  by initiated_by_upn, _timeslice
| eval bulk_flag   = if (registration_count >= 3, 1, 0)
| eval total_score = base_score + if (bulk_flag = 1, 2, 0)
| where total_score > 0 or bulk_flag = 1
| eval alert_reason = if (
    bulk_flag = 1 and total_score > 2, "Bulk registration by unexpected app",
    if (bulk_flag = 1, "Bulk device registration (3+ in 1 hour)",
      if (total_score > 0, "Registration by unexpected application",
        "Suspicious device registration"
      )
    )
  )
| fields _timeslice, initiated_by_upn, source_ips, initiating_app, device_names, registration_count, total_score, alert_reason
| sort by total_score desc

// Rule 1 — Single registration by unexpected application
rule t1098_005_device_registration_unexpected_app {
  meta:
    author        = "Argus Detection Engineering"
    description   = "Detects Azure AD / Entra ID device registration initiated by an application outside the known MDM allowlist — consistent with adversary-controlled enrollment via AADInternals or similar tooling (T1098.005)"
    mitre_tactic  = "Persistence, Privilege Escalation"
    mitre_technique = "T1098.005"
    severity      = "HIGH"
    priority      = "HIGH"
    reference     = "https://attack.mitre.org/techniques/T1098/005/"

  events:
    $e.metadata.vendor_name      = "Microsoft"
    $e.metadata.product_name     = "Azure Active Directory"
    $e.metadata.event_status     = "SUCCESS"
    (
      $e.metadata.product_event_type = "Add device" or
      $e.metadata.product_event_type = "Register device" or
      $e.metadata.product_event_type = "Add registered owner to device" or
      $e.metadata.product_event_type = "Add registered users to device" or
      $e.metadata.product_event_type = "Update device" or
      $e.metadata.product_event_type = "Enroll device"
    )
    not $e.principal.application = /(?i)microsoft intune|intune enrollment|azure active directory connect|microsoft authentication broker|^azure active directory$/
    $e.principal.user.email_addresses[0] != ""
    $user = $e.principal.user.email_addresses[0]

  condition:
    $e
}


// Rule 2 — Bulk device registration (3+ devices from same user within 1 hour)
rule t1098_005_bulk_device_registration {
  meta:
    author        = "Argus Detection Engineering"
    description   = "Detects bulk Entra ID device enrollment — 3 or more successful device registrations from the same user within 1 hour — consistent with AADInternals Register-AADIntJoinedDevice automation and APT29 lateral-movement tradecraft (T1098.005)"
    mitre_tactic  = "Persistence, Privilege Escalation"
    mitre_technique = "T1098.005"
    severity      = "HIGH"
    priority      = "HIGH"
    reference     = "https://attack.mitre.org/techniques/T1098/005/"

  events:
    $e.metadata.vendor_name  = "Microsoft"
    $e.metadata.product_name = "Azure Active Directory"
    $e.metadata.event_status = "SUCCESS"
    (
      $e.metadata.product_event_type = "Add device" or
      $e.metadata.product_event_type = "Register device" or
      $e.metadata.product_event_type = "Enroll device"
    )
    $e.principal.user.email_addresses[0] != ""
    $user = $e.principal.user.email_addresses[0]

  match:
    $user over 1h

  condition:
    #e >= 3
}

// T1098.005 — Device Registration Detection (CrowdStrike Falcon LogScale / CQL)
// Assumes Azure AD audit logs ingested via Falcon LogScale Azure integration
// with ECS-compatible field mapping
event.dataset = "azure.auditlogs"
| azure.auditlogs.operation_name = /^(Add device|Register device|Add registered owner to device|Add registered users to device|Update device|Enroll device)$/
| event.outcome = "success"
| groupBy(
    [
      azure.auditlogs.initiated_by.user.user_principal_name,
      azure.auditlogs.initiated_by.user.ip_address
    ],
    function=[
      count(as=registrationCount),
      collect(
        field=azure.auditlogs.target_resources.0.display_name,
        as=deviceNames
      ),
      collect(
        field=azure.auditlogs.initiated_by.app.display_name,
        as=initiatingApps
      ),
      min(field=@timestamp, as=firstSeen),
      max(field=@timestamp, as=lastSeen)
    ]
  )
| isKnownApp := if(
    initiatingApps
      = /(?i)microsoft intune|intune enrollment|azure active directory connect|microsoft authentication broker|^azure active directory$/,
    "true",
    "false"
  )
| suspicionScore := if(isKnownApp = "false", 2, 0)
| suspicionScore := suspicionScore + if(registrationCount >= 3, 2, 0)
| case {
    registrationCount >= 3 and isKnownApp = "false"
      | alertReason := "Bulk registration by unexpected application" ;
    registrationCount >= 3
      | alertReason := "Bulk device registration (3+ devices in window)" ;
    isKnownApp = "false"
      | alertReason := "Device registration by unexpected application" ;
    *
      | alertReason := "Suspicious device registration"
  }
| where suspicionScore > 0 or registrationCount >= 3
| sort(field=suspicionScore, order=desc)
| table(
    [
      azure.auditlogs.initiated_by.user.user_principal_name,
      azure.auditlogs.initiated_by.user.ip_address,
      registrationCount,
      deviceNames,
      initiatingApps,
      suspicionScore,
      alertReason,
      firstSeen,
      lastSeen
    ]
  )