[New Rule] Detecting `AZUREADSSOACC` Abuse

### Description

_No response_

### Target Ruleset

None

### Target Rule Type

None

### Tested ECS Version

_No response_

### Query

_No response_

### New fields required in ECS/data sources for this rule?

_No response_

### Related issues or PRs

_No response_

### References

- https://sapirxfed.com/2025/07/23/i-just-wanted-to-see-what-ssso-looks-like/
- https://echeloncyber.com/intelligence/entry/cyber-threat-alert-abusing-azureadssoacc-for-pivoting-from-on-premises-active-directory-to-azure

### Redacted Example Data

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] Detecting `AZUREADSSOACC` Abuse #4932

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] Detecting AZUREADSSOACC Abuse #4932

Description

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

[New Rule] Detecting `AZUREADSSOACC` Abuse #4932