elastic · terrancedejesus · Dec 15, 2025 · Dec 17, 2025 · Dec 18, 2025 · Dec 18, 2025
diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml
@@ -2,12 +2,12 @@
 creation_date = "2025/06/16"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2025/12/15"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may
+Identifies when a Microsoft Entra ID user signs in from a device that is not typically used by the user and is not managed, which may
 indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing
 the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a
 new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
@@ -16,10 +16,10 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Entra ID User Sign-in with Unusual Registered Device"
+name = "Entra ID User Sign-in with Unusual Non-Managed Device"
 note = """## Triage and analysis
 
-### Investigating Entra ID User Sign-in with Unusual Registered Device
+### Investigating Entra ID User Sign-in with Unusual Non-Managed Device
 
 This rule detects when a Microsoft Entra ID user signs in from a device that is not typically used by the user, which may indicate potential compromise or unauthorized access attempts. This rule detects unusual sign-in activity by comparing the device used for the sign-in against the user's typical device usage patterns. Adversaries may create and register a new device to obtain a Primary Refresh Token (PRT) and maintain persistent access.
 
@@ -71,6 +71,7 @@ event.dataset: "azure.signinlogs" and
     event.category: "authentication" and
     azure.signinlogs.properties.user_type: "Member" and
     azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
+    not azure.signinlogs.properties.device_detail.is_managed: true and
     not azure.signinlogs.properties.device_detail.device_id: "" and
     azure.signinlogs.properties.user_principal_name: *
 '''
@@ -133,6 +134,6 @@ value = [
 ]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-14d"