Tunes the Entra ID Suspicious Cloud Device Registration rule to improve detection coverage. The rule had no hits in 180 days despite known ROADtools activity due to overly specific filters.
Changes:
- Remove OS version filter (
10.0.19041.928) - caused ~20% false negatives as ROADtools can use different versions
- Increase lookback from
now-9m to now-1h for Azure ingestion delays
- Increase maxspan from
1m to 5m for manual execution variability
- Add
Dsreg/* and DeviceRegistrationClient user-agent patterns for tool variant coverage
Validation:
Emulated with ROADtools (roadtx device -a register). Analyzed 6 device registration events confirming Microsoft.OData.Client/* is the primary indicator. No additional filters recommended - OS version, DeviceTrustType, and geography all vary across legitimate attack samples.
References:
Tunes the
Entra ID Suspicious Cloud Device Registrationrule to improve detection coverage. The rule had no hits in 180 days despite known ROADtools activity due to overly specific filters.Changes:
10.0.19041.928) - caused ~20% false negatives as ROADtools can use different versionsnow-9mtonow-1hfor Azure ingestion delays1mto5mfor manual execution variabilityDsreg/*andDeviceRegistrationClientuser-agent patterns for tool variant coverageValidation:
Emulated with ROADtools (
roadtx device -a register). Analyzed 6 device registration events confirmingMicrosoft.OData.Client/*is the primary indicator. No additional filters recommended - OS version, DeviceTrustType, and geography all vary across legitimate attack samples.References: