From 9da94fed9bceab871ae586b566be8797143816c4 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 21 Feb 2025 13:08:42 -0500 Subject: [PATCH] fixing double header in investigation notes --- .../credential_access_first_time_seen_device_code_auth.toml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml index d73d391f8e3..e5e17e7b391 100644 --- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2025/02/18" +updated_date = "2025/02/21" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -19,8 +19,6 @@ license = "Elastic License v2" name = "First Occurrence of Entra ID Auth via DeviceCode Protocol" note = """## Triage and analysis -## Triage and Analysis - ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access.