
Summary
Detects when a single user enrolls three or more distinct devices within a 30-minute window (bucketed into 15-minute intervals) via Microsoft Entra ID (Azure AD) audit logs. Each device enrollment creates a separate certificate-bound principal with its own PRT, and because device-bound PRTs survive user-level session revocation and password resets, multiple concurrent device registrations establish broad, persistent device-based footholds. The rule targets abnormal multi-device enrollment patterns indicative of adversary-in-the-middle (AiTM) phishing kit activity or token-replay tooling using stolen refresh tokens or PRTs. The alert aggregates by user and time bucket, collecting distinct device names, user agents, and network metadata (IP, ASN, geo) to identify homogeneous device registrations across a short interval and to surface related behavior such as consistent device names, identical OS builds, or suspicious registration clients. The rule emphasizes cross-referencing registration events with Add device events, MFA method registrations, and sign-in/audit events to support triage, response, and potential conditional access enforcement. It also includes guidance for investigation steps, false positives, and remediation actions to remove rogue devices and revoke tokens.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Active Directory
- Cloud Service
ATT&CK Techniques
- T1098
- T1098.005
- T1078
- T1078.004
- T1557
Created: 2026-06-26